Cryptomeria cipher

Cryptomeria cipher
	The Feistel function of the Cryptomeria cipher.
General
Designers	4C Entity
First published	2003
Derived from	DES
Related to	CSS
Cipher detail
Key sizes	56 bits
Block sizes	64 bits
Structure	Feistel network
Rounds	10
Best public cryptanalysis
	A boomerang attack breaks all 10 rounds in 248 time with known S-box, or 253.5 with an unknown S-box, using 244 adaptively chosen plaintexts/ciphertexts.

Last updated October 30, 2023

The Cryptomeria cipher, also called C2, is a proprietary block cipher defined and licensed by the 4C Entity. It is the successor to CSS algorithm (used for DVD-Video) and was designed for the CPRM/CPPM digital rights management scheme which are used by DRM-restricted Secure Digital cards and DVD-Audio discs.

Cipher details

The C2 symmetric key algorithm is a 10-round Feistel cipher. Like DES, it has a key size of 56 bits and a block size of 64 bits. The encryption and decryption algorithms are available for peer review, but implementations require the so-called "secret constant", the values of the substitution box (S-box), which are only available under a license from the 4C Entity.

The 4C Entity licenses a different set of S-boxes for each application (such as DVD-Audio, DVD-Video and CPRM).^[2]

Cryptanalysis

In 2008, an attack was published against a reduced 8-round version of Cryptomeria to discover the S-box in a chosen-key scenario. In a practical experiment, the attack succeeded in recovering parts of the S-box in 15 hours of CPU time, using 2 plaintext-ciphertext pairs.^[2]

A paper by Julia Borghoff, Lars Knudsen, Gregor Leander and Krystian Matusiewicz in 2009 breaks the full-round cipher in three different scenarios; it presents a 2²⁴ time complexity attack to recover the S-box in a chosen-key scenario, a 2⁴⁸ boomerang attack to recover the key with a known S-box using 2⁴⁴ adaptively chosen plaintexts/ciphertexts, and a 2^53.5 attack when both the key and S-box are unknown.^[1]

Distributed brute force cracking effort

Following an announcement by Japanese HDTV broadcasters that they would start broadcasting programs with the copy-once broadcast flag starting with 2004-04-05, a distributed Cryptomeria cipher brute force cracking effort was launched on 2003-12-21. To enforce the broadcast flag, digital video recorders employ CPRM-compatible storage devices, which the project aimed to circumvent. However, the project was ended and declared a failure on 2004-03-08 after searching the entire 56-bit keyspace, failing to turn up a valid key for unknown reasons.^[3] Because the attack was based on S-box values from DVD-Audio, it was suggested that CPRM may use different S-boxes.^[4]

Another brute force attack to recover DVD-Audio CPPM device keys was mounted on 2009-05-06. The attack was intended to find any of 24570 secret device keys by testing MKB file from Queen "The Game" DVD-Audio disc. On 2009-10-20 such key for column 0 and row 24408 was discovered.

The similar brute force attack to recover DVD-VR CPRM device keys was mounted on 2009-10-20. The attack was intended to find any of 3066 secret device keys by testing MKB from Panasonic LM-AF120LE DVD-RAM disc. On 2009-11-27 such key for column 0 and row 2630 was discovered.

By now the CPPM/CPRM protection scheme is deemed unreliable.

Notes

1 2 Borghoff, Julia; Knudsen, Lars R.; Leander, Gregor; Matusiewicz, Krystian (2009). "Cryptanalysis of C2". Advances in Cryptology - CRYPTO 2009. Lecture Notes in Computer Science. Vol. 5677. Berlin, Heidelberg: Springer Berlin Heidelberg. pp. 250–266. doi:10.1007/978-3-642-03356-8_15. ISBN 978-3-642-03355-1. ISSN 0302-9743.
1 2 Ralf-Philipp Weimann (2008-03-01). "Algebraic Methods in Block Cipher Cryptanalysis" (PDF). Darmstadt University of Technology. (Abstract is in German, rest is in English)
↑ "Distributed C2 Brute Force Attack: Status Page" . Retrieved 2006-08-14.
"C2 Brute Force Crack - team timecop". Archived version of cracking team's English web site. Archived from the original on 2005-03-06. Retrieved 2006-10-30.
↑ "Discussion about the attack (Archived)". Archived from the original on 2005-03-16. Retrieved 2006-10-30.

Related Research Articles

<span class="mw-page-title-main">Cryptanalysis</span> Study of analyzing information systems in order to discover their hidden aspects

Cryptanalysis refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown.

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformation, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key.

In cryptography, a transposition cipher is a method of encryption which scrambles the positions of characters (transposition) without changing the characters themselves. Transposition ciphers reorder units of plaintext according to a regular system to produce a ciphertext which is a permutation of the plaintext. They differ from substitution ciphers, which do not change the position of units of plaintext but instead change the units themselves. Despite the difference between transposition and substitution operations, they are often combined, as in historical ciphers like the ADFGVX cipher or complex high-quality encryption methods like the modern Advanced Encryption Standard (AES).

In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being differential cryptanalysis.

In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it. This process prevents the loss of sensitive information via hacking. Decryption, the inverse of encryption, is the process of turning ciphertext into readable plaintext. Ciphertext is not to be confused with codetext because the latter is a result of a code, not a cipher.

Articles related to cryptography include:

A5/1 is a stream cipher used to provide over-the-air communication privacy in the GSM cellular telephone standard. It is one of several implementations of the A5 security protocol. It was initially kept secret, but became public knowledge through leaks and reverse engineering. A number of serious weaknesses in the cipher have been identified.

In cryptography, a ciphertext-only attack (COA) or known ciphertext attack is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts. While the attacker has no channel providing access to the plaintext prior to encryption, in all practical ciphertext-only attacks, the attacker still has some knowledge of the plaintext. For instance, the attacker might know the language in which the plaintext is written or the expected statistical distribution of characters in the plaintext. Standard protocol data and messages are commonly part of the plaintext in many deployed systems, and can usually be guessed or known efficiently as part of a ciphertext-only attack on these systems.

The Common Scrambling Algorithm (CSA) is the encryption algorithm used in the DVB digital television broadcasting for encrypting video streams.

In cryptography, DES-X is a variant on the DES symmetric-key block cipher intended to increase the complexity of a brute-force attack. The technique used to increase the complexity is called key whitening.

In cryptography, Khufu and Khafre are two block ciphers designed by Ralph Merkle in 1989 while working at Xerox's Palo Alto Research Center. Along with Snefru, a cryptographic hash function, the ciphers were named after the Egyptian Pharaohs Khufu, Khafre and Sneferu.

In cryptography, Madryga is a block cipher published in 1984 by W. E. Madryga. It was designed to be easy and efficient for implementation in software. Serious weaknesses have since been found in the algorithm, but it was one of the first encryption algorithms to make use of data-dependent rotations, later used in other ciphers, such as RC5 and RC6.

In cryptography, NewDES is a symmetric key block cipher. It was created in 1984–1985 by Robert Scott as a potential DES replacement.

Content Protection for Recordable Media and Pre-Recorded Media is a mechanism for controlling the copying, moving, and deletion of digital media on a host device, such as a personal computer, or other player. It is a form of digital rights management (DRM) developed by The 4C Entity, LLC.

The 4C Entity is a digital rights management (DRM) consortium formed by IBM, Intel, Panasonic and Toshiba that has established and licensed interoperable cryptographic protection mechanisms for removable media technologies. 4C Entity was founded in 1999 when Warner Music approached the companies to develop stronger DRM technologies for the then-novel DVD-Audio format after Intel’s CSS DRM technology was hacked.

In cryptanalysis, attack models or attack types are a classification of cryptographic attacks specifying the kind of access a cryptanalyst has to a system under attack when attempting to "break" an encrypted message generated by the system. The greater the access the cryptanalyst has to the system, the more useful information they can get to utilize for breaking the cypher.

In cryptography, the Davies attack is a dedicated statistical cryptanalysis method for attacking the Data Encryption Standard (DES). The attack was originally created in 1987 by Donald Davies. In 1994, Eli Biham and Alex Biryukov made significant improvements to the technique. It is a known-plaintext attack based on the non-uniform distribution of the outputs of pairs of adjacent S-boxes. It works by collecting many known plaintext/ciphertext pairs and calculating the empirical distribution of certain characteristics. Bits of the key can be deduced given sufficiently many known plaintexts, leaving the remaining bits to be found through brute force. There are tradeoffs between the number of required plaintexts, the number of key bits found, and the probability of success; the attack can find 24 bits of the key with 2⁵² known plaintexts and 53% success rate.

In cryptography, a distinguishing attack is any form of cryptanalysis on data encrypted by a cipher that allows an attacker to distinguish the encrypted data from random data. Modern symmetric-key ciphers are specifically designed to be immune to such an attack. In other words, modern encryption schemes are pseudorandom permutations and are designed to have ciphertext indistinguishability. If an algorithm is found that can distinguish the output from random faster than a brute force search, then that is considered a break of the cipher.

Speck is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Speck has been optimized for performance in software implementations, while its sister algorithm, Simon, has been optimized for hardware implementations. Speck is an add–rotate–xor (ARX) cipher.

References

"C2 Block Cipher Specification" (PDF). 1.0. 4C Entity, LLC. 2003-01-17. Archived from the original (PDF) on 2011-07-18. Retrieved 2009-02-13.
"Software Obfuscation from Crackers' Viewpoint" (PDF). Proceedings of the IASTED International Conference. Puerto Vallarta, Mexico. 2006-01-23. Archived from the original (PDF) on 2007-09-26. Retrieved 2006-08-13.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[borghoff-et-al-1] 1 2 Borghoff, Julia; Knudsen, Lars R.; Leander, Gregor; Matusiewicz, Krystian (2009). "Cryptanalysis of C2". Advances in Cryptology - CRYPTO 2009. Lecture Notes in Computer Science. Vol. 5677. Berlin, Heidelberg: Springer Berlin Heidelberg. pp. 250–266. doi:10.1007/978-3-642-03356-8_15. ISBN 978-3-642-03355-1. ISSN 0302-9743.

[algebraic-attacks-2] 1 2 Ralf-Philipp Weimann (2008-03-01). "Algebraic Methods in Block Cipher Cryptanalysis" (PDF). Darmstadt University of Technology. (Abstract is in German, rest is in English)

[distributed_crack-3] "Distributed C2 Brute Force Attack: Status Page" . Retrieved 2006-08-14.
"C2 Brute Force Crack - team timecop". Archived version of cracking team's English web site. Archived from the original on 2005-03-06. Retrieved 2006-10-30.

[4] "Discussion about the attack (Archived)". Archived from the original on 2005-03-16. Retrieved 2006-10-30.

[1]

[2]

[3]

[4]