Cryptomeria cipher

Block cipher used by the 4C Entity

Cryptomeria cipher
General
The Feistel function of the Cryptomeria cipher.
Designers	4C Entity
First published	2003
Derived from	DES
Related to	CSS
Cipher detail
Key sizes	56 bits
Block sizes	64 bits
Structure	Feistel network
Rounds	10
Best public cryptanalysis
A boomerang attack breaks all 10 rounds in 2⁴⁸ time with known S-box, or 2^53.5 with an unknown S-box, using 2⁴⁴ adaptively chosen plaintexts/ciphertexts. ^[1]

The Cryptomeria cipher, also called C2, is a proprietary block cipher defined and licensed by the 4C Entity. It is the successor to CSS algorithm (used for DVD-Video) and was designed for the CPRM/CPPM digital rights management scheme which are used by DRM-restricted Secure Digital cards and DVD-Audio discs.

Cipher details

[edit ]

The C2 symmetric key algorithm is a 10-round Feistel cipher. Like DES, it has a key size of 56 bits and a block size of 64 bits. The encryption and decryption algorithms are available for peer review, but implementations require the so-called "secret constant", the values of the substitution box (S-box), which are only available under a license from the 4C Entity.

The 4C Entity licenses a different set of S-boxes for each application (such as DVD-Audio, DVD-Video and CPRM).^[2]

Cryptanalysis

[edit ]

In 2008, an attack was published against a reduced 8-round version of Cryptomeria to discover the S-box in a chosen-key scenario. In a practical experiment, the attack succeeded in recovering parts of the S-box in 15 hours of CPU time, using 2 plaintext-ciphertext pairs.^[2]

A paper by Julia Borghoff, Lars Knudsen, Gregor Leander and Krystian Matusiewicz in 2009 breaks the full-round cipher in three different scenarios; it presents a 2²⁴ time complexity attack to recover the S-box in a chosen-key scenario, a 2⁴⁸ boomerang attack to recover the key with a known S-box using 2⁴⁴ adaptively chosen plaintexts/ciphertexts, and a 2^53.5 attack when both the key and S-box are unknown.^[1]

Distributed brute force cracking effort

[edit ]

Following an announcement by Japanese HDTV broadcasters that they would start broadcasting programs with the copy-once broadcast flag starting with 2004年04月05日, a distributed Cryptomeria cipher brute force cracking effort was launched on 2003年12月21日. To enforce the broadcast flag, digital video recorders employ CPRM-compatible storage devices, which the project aimed to circumvent. However, the project was ended and declared a failure on 2004年03月08日 after searching the entire 56-bit keyspace, failing to turn up a valid key for unknown reasons.^[3] Because the attack was based on S-box values from DVD-Audio, it was suggested that CPRM may use different S-boxes.^[4]

Another brute force attack to recover DVD-Audio CPPM device keys was mounted on 2009年05月06日. The attack was intended to find any of 24570 secret device keys by testing MKB file from Queen "The Game" DVD-Audio disc. On 2009年10月20日 such key for column 0 and row 24408 was discovered.

The similar brute force attack to recover DVD-VR CPRM device keys was mounted on 2009年10月20日. The attack was intended to find any of 3066 secret device keys by testing MKB from Panasonic LM-AF120LE DVD-RAM disc. On 2009年11月27日 such key for column 0 and row 2630 was discovered.

By now the CPPM/CPRM protection scheme is deemed unreliable.

Notes

[edit ]

^ ^a ^b Borghoff, Julia; Knudsen, Lars R.; Leander, Gregor; Matusiewicz, Krystian (2009). "Cryptanalysis of C2". Advances in Cryptology - CRYPTO 2009. Lecture Notes in Computer Science. Vol. 5677. Berlin, Heidelberg: Springer Berlin Heidelberg. pp. 250–266. doi:10.1007/978-3-642-03356-8_15. ISBN 978-3-642-03355-1. ISSN 0302-9743.
^ ^a ^b Ralf-Philipp Weimann (2008年03月01日). "Algebraic Methods in Block Cipher Cryptanalysis" (PDF). Darmstadt University of Technology. (Abstract is in German, rest is in English)
^ "Distributed C2 Brute Force Attack: Status Page" . Retrieved 2006年08月14日.
"C2 Brute Force Crack - team timecop". Archived version of cracking team's English web site. Archived from the original on 2005年03月06日. Retrieved 2006年10月30日.
^ "Discussion about the attack (Archived)". Archived from the original on 2005年03月16日. Retrieved 2006年10月30日.

References

[edit ]

"C2 Block Cipher Specification" (PDF). 1.0. 4C Entity, LLC. 2003年01月17日. Archived from the original (PDF) on 2011年07月18日. Retrieved 2009年02月13日.
"Software Obfuscation from Crackers' Viewpoint" (PDF). Proceedings of the IASTED International Conference. Puerto Vallarta, Mexico. 2006年01月23日. Archived from the original (PDF) on 2007年09月26日. Retrieved 2006年08月13日.

v t e Block ciphers (security summary)
Common algorithms	AES Blowfish DES (internal mechanics, Triple DES) Serpent SM4 Twofish
Less common algorithms	ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA
Other algorithms	3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97, 89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac
Design	Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation)
Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Mod n Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff
Standardization	AES process CRYPTREC NESSIE NSA Suite B CNSA
Utilization	Initialization vector Mode of operation Padding

v t e Cryptography
General	History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Cryptojacking malware Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network
Mathematics	Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography
Category

Retrieved from "https://en.wikipedia.org/w/index.php?title=Cryptomeria_cipher&oldid=1182471487"