top of page
Our Publications
Fault–Assisted Side Channel Analysis of HMAC-Streebog, Cryptologia, vol. 49(2), pp. 153-169, Taylor & Francis, 2025.
Gautham Sekar, Mabin Joseph, R. Balasubramanian
Streebog is a family of hash functions defined in the Russian cryptographic standard GOST R 34.11–2012. HMAC-Streebog, which is defined in RFC 7836, is a Streebog-based message authentication code. It supports keys of size ranging from 256 bits to 512 bits. In this article, we present fault-assisted side channel attacks on HMAC-Streebog-256 and HMAC-Streebog-512 that can recover the keys in real-time with 2^12.98 and 2^14.97 average number of fault injections, respectively, to ensure 95% success. The attacker is assumed to be able to simultaneously flip at the most 181 chosen bits of the inner hash if it is a 256–bit variant and 361 chosen bits of the hash otherwise. In comparison to existing fault attacks on HMAC-Streebog, our attacks have a larger temporal window for fault injection, target a more accessible location, and cannot be mitigated with output redundancy countermeasures. Some of the latest hardware vulnerabilities make the HMAC-Streebog implementations vulnerable to our attacks.
Revisiting the Security of the Software-Efficient Stream Ciphers RCR–64 and RCR–32, The Computer Journal, vol. 67(4), pp. 1590-1602, Oxford University Press, 2024.
Mabin Joseph, Gautham Sekar, R. Balasubramanian
The synchronous stream ciphers RCR-64 and RCR-32 designed by Sekar, Paul and Preneel are strengthened variants of the ciphers TPy and TPypy (designed by Biham and Seberry), respectively. The RCR ciphers have remained unbroken since they were published in 2007. In this paper, we present arguments that not only support the designers’ security claims but suggest, in general, that the ciphers are secure against several classes of cryptanalytic attacks. We find that the ciphers are best used with 256-bit keys and 384-bit IVs. We also suggest ways to protect software implementations of the RCR ciphers against (cache-)timing and processor flag attacks. Our performance evaluation suggests that the protected implementation of the RCR-64 encrypts long messages at speeds comparable to some of the fastest stream ciphers available today. Consequently, we find that the RCR ciphers may be well suited for PC-based applications in general and streaming audio/video applications in particular. This is the first paper to present a detailed study on the security and performance of the RCR ciphers.
On the Security of the Stream Ciphers RCR–64 and RCR–32, The Computer Journal, vol. 65(12), pp. 3091-3099, Oxford University Press, 2022.
Mabin Joseph, Gautham Sekar, R. Balasubramanian, G. Venkiteswaran
The stream ciphers RCR–64 and RCR–32 designed by Sekar et al. are the most recent additions to the Py–family of stream ciphers, originally designed by Biham et al. The ciphers are among the fastest stream ciphers on software. To the best of our knowledge, the only reported attacks on the ciphers are due to Ding et al., published in the Journal of Universal Computer Science. In this paper, we review these alleged attacks on the RCR ciphers and show that they are based on non-existent keystream biases stemming from flawed probability calculations.
Side Channel Analysis of SPECK, Journal of Computer Security, vol. 28(6), pp. 655-676, IOS Press, 2020.
Mabin Joseph, Gautham Sekar and R. Balasubramanian
SPECK is a family of lightweight block ciphers developed by Beaulieu et al. of the US National Security Agency (NSA) for the Internet of Things (IoT). It is an ARX-based design with a Feistel-like structure which supports keys of size ranging from 64 bits to 256 bits. SPECK has been standardised by ISO/IEC for radio frequency identification (RFID) devices. It has drawn the attention of many cryptanalysts and several cryptanalysis results have been published. In this paper, carry flag attacks on the full SPECK ciphers are presented. Depending on the key size and block size, the complexities of our attacks, to nearly ensure success, vary from 2^59 time and 2^14 data to 2^227 time and 2^62 data.
bottom of page