Login
Login

Cryptomeria cipher

{{Short description|Block cipher used by the 4C Entity}}

{{Infobox block cipher

| name = Cryptomeria cipher

| image = Image:Cryptomeria Feistel function.svg

| caption = The Feistel function of the Cryptomeria cipher.

| designers = 4C Entity

| publish date = 2003

| derived from = DES

| derived to =

| related to = CSS

| key size = 56 bits

| block size = 64 bits

| structure = Feistel network

| rounds = 10

| cryptanalysis = A boomerang attack breaks all 10 rounds in 248 time with known S-box, or 253.5 with an unknown S-box, using 244 adaptively chosen plaintexts/ciphertexts.

{{cite book | last1=Borghoff | first1=Julia | last2=Knudsen | first2=Lars R. | last3=Leander | first3=Gregor | last4=Matusiewicz | first4=Krystian | series=Lecture Notes in Computer Science | volume=5677 | title=Advances in Cryptology - CRYPTO 2009 | chapter=Cryptanalysis of C2 | publisher=Springer Berlin Heidelberg | publication-place=Berlin, Heidelberg | year=2009 | isbn=978-3-642-03355-1 | issn=0302-9743 | doi=10.1007/978-3-642-03356-8_15 | pages=250–266}}

}}

The Cryptomeria cipher, also called C2, is a proprietary block cipher defined and licensed by the 4C Entity. It is the successor to CSS algorithm (used for DVD-Video) and was designed for the CPRM/CPPM digital rights management scheme which are used by DRM-restricted Secure Digital cards and DVD-Audio discs.

Cipher details

The C2 symmetric key algorithm is a 10-round Feistel cipher. Like DES, it has a key size of 56 bits and a block size of 64 bits. The encryption and decryption algorithms are available for peer review, but implementations require the so-called "secret constant", the values of the substitution box (S-box), which are only available under a license from the 4C Entity.

The 4C Entity licenses a different set of S-boxes for each application (such as DVD-Audio, DVD-Video and CPRM).{{cite web |author=Ralf-Philipp Weimann |date=2008-03-01 |title=Algebraic Methods in Block Cipher Cryptanalysis |publisher=Darmstadt University of Technology |url=http://tuprints.ulb.tu-darmstadt.de/1362/1/rpwphd.pdf }} (Abstract is in German, rest is in English)

Cryptanalysis

In 2008, an attack was published against a reduced 8-round version of Cryptomeria to discover the S-box in a chosen-key scenario. In a practical experiment, the attack succeeded in recovering parts of the S-box in 15 hours of CPU time, using 2 plaintext-ciphertext pairs.

A paper by Julia Borghoff, Lars Knudsen, Gregor Leander and Krystian Matusiewicz in 2009 breaks the full-round cipher in three different scenarios; it presents a 224 time complexity attack to recover the S-box in a chosen-key scenario, a 248 boomerang attack to recover the key with a known S-box using 244 adaptively chosen plaintexts/ciphertexts, and a 253.5 attack when both the key and S-box are unknown.

Distributed brute force cracking effort

Following an announcement by Japanese HDTV broadcasters that they would start broadcasting programs with the copy-once broadcast flag starting with 2004-04-05, a distributed Cryptomeria cipher brute force cracking effort was launched on 2003-12-21. To enforce the broadcast flag, digital video recorders employ CPRM-compatible storage devices, which the project aimed to circumvent. However, the project was ended and declared a failure on 2004-03-08 after searching the entire 56-bit keyspace, failing to turn up a valid key for unknown reasons.

{{cite web

| title=Distributed C2 Brute Force Attack: Status Page

| url=http://www.marumo.ne.jp/c2/bf/status.html

| access-date=2006-08-14

}}

{{cite web

| title=C2 Brute Force Crack - team timecop

| work=Archived version of cracking team's English web site

| url=http://pbx.mine.nu/ch/c2bf/

| access-date=2006-10-30

|archive-url = https://web.archive.org/web/20050306065032/http://pbx.mine.nu/ch/c2bf/ |archive-date = 2005-03-06}}

Because the attack was based on S-box values from DVD-Audio, it was suggested that CPRM may use different S-boxes.{{cite web

| title=Discussion about the attack (Archived)

| url=http://pbx.mine.nu/ch/test/read.cgi/general/1075424427/

| access-date=2006-10-30

|archive-url = https://web.archive.org/web/20050316033144/http://pbx.mine.nu/ch/test/read.cgi/general/1075424427/ |archive-date = 2005-03-16}}

Another brute force attack to recover DVD-Audio CPPM device keys was mounted on 2009-05-06. The attack was intended to find any of 24570 secret device keys by testing MKB file from Queen "The Game" DVD-Audio disc. On 2009-10-20 such key for column 0 and row 24408 was discovered.

The similar brute force attack to recover DVD-VR CPRM device keys was mounted on 2009-10-20. The attack was intended to find any of 3066 secret device keys by testing MKB from Panasonic LM-AF120LE DVD-RAM disc. On 2009-11-27 such key for column 0 and row 2630 was discovered.

By now the CPPM/CPRM protection scheme is deemed unreliable.

Notes

References

  • {{cite web

| title=C2 Block Cipher Specification

| version=1.0

| publisher=4C Entity, LLC

| date=2003-01-17

| url=http://edipermadi.files.wordpress.com/2008/08/cryptomeria-c2-spec.pdf

| access-date=2009-02-13

| archive-url=https://web.archive.org/web/20110718093832/http://edipermadi.files.wordpress.com/2008/08/cryptomeria-c2-spec.pdf

| archive-date=2011-07-18

| url-status=dead

}}

  • {{cite conference

| title=Software Obfuscation from Crackers' Viewpoint

| date=2006-01-23

| location=Puerto Vallarta, Mexico

| book-title=Proceedings of the IASTED International Conference

| url=http://se.aist-nara.ac.jp/achieve/pdf/118.pdf

| archive-url=https://web.archive.org/web/20070926205356/http://se.aist-nara.ac.jp/achieve/pdf/118.pdf

| url-status=dead

| archive-date=2007-09-26

| access-date=2006-08-13

}}

{{Cryptography navbox | block}}

Category:Broken block ciphers

Category:Feistel ciphers