International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Dmitry Khovratovich

Affiliation: University of Luxembourg

Publications

Year
Venue
Title
2016
TOSC
Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs
Alex Biryukov Dmitry Khovratovich Léo Perrin
We devise the first closed formula for the number of rounds of a blockcipher with secret components so that these components can be revealed using multiset, algebraic-degree, or division-integral properties, which in this case are equivalent. Using the new result, we attack 7 (out of 9) rounds of Kuznyechik, the recent Russian blockcipher standard, thus halving its security margin. With the same technique we attack 6 (out of 8) rounds of Khazad, the legacy 64-bit blockcipher. Finally, we show how to cryptanalyze and find a decomposition of generic SPN construction for which the inner-components are secret. All the attacks are the best to date.
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2015
FSE
2015
ASIACRYPT
2014
EPRINT
2014
EPRINT
2014
JOFC
2014
ASIACRYPT
2014
FSE
2012
EUROCRYPT
2012
CRYPTO
2012
ASIACRYPT
2012
FSE
2011
ASIACRYPT
2010
EPRINT
Feasible Attack on the 13-round AES-256
Alex Biryukov Dmitry Khovratovich
In this note we present the first attack with feasible complexity on the 13-round AES-256. The attack runs in the related-subkey scenario with four related keys, in 2^{76} time, data, and memory.
2010
ASIACRYPT
2010
EUROCRYPT
2010
FSE
2009
ASIACRYPT
2009
CRYPTO
2009
FSE
2009
FSE
2008
EPRINT
New State Recovery Attack on RC4
Alexander Maximov Dmitry Khovratovich
The stream cipher RC4 was designed by R.~Rivest in 1987, and it has a very simple and elegant structure. It is probably the most deployed cipher on the Earth. ~~~~In this paper we analyse the class RC4-$N$ of RC4-like stream ciphers, where $N$ is the modulus of operations, as well as the length of internal arrays. Our new attack is a state recovery attack which accepts the keystream of a certain length, and recovers the internal state. For the original RC4-256, our attack has total complexity of around $2^{241}$ operations, whereas the best previous attack needs $2^{779}$ of time. Moreover, we show that if the secret key is of length $N$ bits or longer, the new attack works faster than an exhaustive search. The algorithm of the attack was implemented and verified on small cases.
2008
CRYPTO
2007
CHES
2007
CHES
2006
EPRINT
Divisibility of the Hamming Weight by $2^k$ and Monomial Criteria for Boolean Functions
Dmitry Khovratovich
In this paper we consider the notions of the Hamming weight and the algebraic normal form. We solve an open problem devoted to checking divisibility of the weight by $2^k$. We generalize the criterion for checking the evenness of the weight in two ways. Our main result states that for checking whether the Hamming weight of $f$ is divisible by $2^k, \,k>1$, it is necessary and sufficient to know its algebraic normal form accurate to an additive constant.

Program Committees

FSE 2017
Eurocrypt 2016
FSE 2015
FSE 2014
Eurocrypt 2013
FSE 2013
FSE 2012