27:
1893:
281:
employ CPRM-compatible storage devices, which the project aimed to circumvent. However, the project was ended and declared a failure on 2004-03-08 after searching the entire 56-bit keyspace, failing to turn up a valid key for unknown reasons. Because the attack was based on
257:, Gregor Leander and Krystian Matusiewicz in 2009 breaks the full-round cipher in three different scenarios; it presents a 2 time complexity attack to recover the S-box in a chosen-key scenario, a 2
1873:
1703:
250:
in a chosen-key scenario. In a practical experiment, the attack succeeded in recovering parts of the S-box in 15 hours of CPU time, using 2 plaintext-ciphertext pairs.
1556:
1491:
572:
485:
1318:
674:
297:
277:
starting with 2004-04-05, a distributed
Cryptomeria cipher brute force cracking effort was launched on 2003-12-21. To enforce the broadcast flag,
177:
261:
to recover the key with a known S-box using 2 adaptively chosen plaintexts/ciphertexts, and a 2 attack when both the key and S-box are unknown.
1308:
802:
365:
1209:
1471:
1445:
1313:
1286:
400:
457:
1549:
1455:
565:
1334:
143:
breaks all 10 rounds in 2 time with known S-box, or 2 with an unknown S-box, using 2 adaptively chosen plaintexts/ciphertexts.
1752:
1512:
514:
1926:
1542:
602:
352:. Lecture Notes in Computer Science. Vol. 5677. Berlin, Heidelberg: Springer Berlin Heidelberg. pp. 250–266.
1868:
1823:
1636:
1398:
558:
1747:
1415:
1325:
1303:
616:
270:
300:
device keys was mounted on 2009-05-06. The attack was intended to find any of 24570 secret device keys by testing
1863:
1420:
1276:
1229:
704:
318:
device keys was mounted on 2009-10-20. The attack was intended to find any of 3066 secret device keys by testing
216:
180:
101:
1931:
1853:
1843:
1698:
1486:
1368:
1243:
612:
208:
69:
1848:
1838:
1641:
1601:
1594:
1584:
1579:
1425:
1214:
585:
200:
169:
79:
1921:
1589:
1517:
1393:
1388:
1340:
278:
1189:
428:
348:
Borghoff, Julia; Knudsen, Lars R.; Leander, Gregor; Matusiewicz, Krystian (2009). "Cryptanalysis of C2".
1896:
1742:
1688:
1507:
1330:
767:
496:
1858:
1782:
1410:
1293:
1219:
902:
882:
158:
121:
1621:
1373:
1350:
669:
184:
246:
In 2008, an attack was published against a reduced 8-round version of
Cryptomeria to discover the
1727:
1711:
1658:
1358:
1266:
978:
907:
877:
26:
1787:
1777:
1648:
1078:
777:
737:
732:
699:
659:
607:
371:
361:
1722:
1450:
1345:
1224:
1083:
963:
932:
626:
353:
258:
224:
140:
1297:
1281:
1270:
1204:
1163:
1128:
1058:
1038:
912:
792:
787:
742:
461:
319:
301:
114:
393:
1797:
1717:
1678:
1626:
1611:
1435:
1383:
1194:
1179:
1118:
1113:
998:
747:
274:
204:
34:
1915:
1878:
1833:
1792:
1772:
1668:
1631:
1606:
1430:
1378:
1257:
1239:
1028:
1003:
993:
817:
807:
654:
132:
1828:
1673:
1663:
1653:
1616:
1565:
1363:
1184:
1148:
1013:
892:
847:
679:
631:
581:
254:
161:
357:
223:, but implementations require the so-called "secret constant", the values of the
1807:
973:
968:
852:
525:
230:
The 4C Entity licenses a different set of S-boxes for each application (such as
220:
1767:
1737:
1732:
1693:
1405:
1123:
1063:
947:
942:
887:
757:
620:
375:
1757:
1138:
1133:
1023:
937:
832:
812:
492:
415:
305:
294:
287:
273:
broadcasters that they would start broadcasting programs with the copy-once
235:
231:
188:
165:
51:
1802:
1762:
1476:
1440:
1234:
897:
772:
752:
664:
212:
91:
308:
disc. On 2009-10-20 such key for column 0 and row 24408 was discovered.
1143:
1093:
1053:
1043:
988:
983:
827:
636:
326:
disc. On 2009-11-27 such key for column 0 and row 2630 was discovered.
323:
219:
of 64 bits. The encryption and decryption algorithms are available for
227:(S-box), which are only available under a license from the 4C Entity.
1683:
1481:
1103:
1098:
1033:
1018:
1008:
953:
927:
922:
917:
797:
782:
312:
1199:
1158:
1108:
1088:
1073:
862:
842:
762:
727:
283:
247:
1048:
957:
872:
867:
857:
837:
709:
694:
315:
1538:
554:
1153:
1068:
689:
684:
436:
173:
329:
By now the CPPM/CPRM protection scheme is deemed unreliable.
25:
290:, it was suggested that CPRM may use different S-boxes.
1704:
Cryptographically secure pseudorandom number generator
524:. Puerto Vallarta, Mexico. 2006-01-23. Archived from
542:
433:
Archived version of cracking team's
English web site
1816:
1572:
1500:
1464:
1253:
1172:
718:
645:
593:
387:
385:
130:
120:
110:
100:
90:
85:
75:
65:
57:
47:
42:
522:Proceedings of the IASTED International Conference
394:"Algebraic Methods in Block Cipher Cryptanalysis"
416:"Distributed C2 Brute Force Attack: Status Page"
343:
341:
515:"Software Obfuscation from Crackers' Viewpoint"
1550:
566:
8:
19:
405:(Abstract is in German, rest is in English)
1557:
1543:
1535:
573:
559:
551:
547:
543:
311:The similar brute force attack to recover
458:"Discussion about the attack (Archived)"
183:scheme which are used by DRM-restricted
337:
265:Distributed brute force cracking effort
293:Another brute force attack to recover
269:Following an announcement by Japanese
18:
429:"C2 Brute Force Crack - team timecop"
7:
350:Advances in Cryptology - CRYPTO 2009
392:Ralf-Philipp Weimann (2008-03-01).
401:Darmstadt University of Technology
16:Block cipher used by the 4C Entity
14:
495:, LLC. 2003-01-17. Archived from
1892:
1891:
486:"C2 Block Cipher Specification"
1753:Information-theoretic security
1:
358:10.1007/978-3-642-03356-8_15
164:defined and licensed by the
1869:Message authentication code
1824:Cryptographic hash function
1637:Cryptographic hash function
304:file from Queen "The Game"
253:A paper by Julia Borghoff,
176:) and was designed for the
1948:
1748:Harvest now, decrypt later
322:from Panasonic LM-AF120LE
37:of the Cryptomeria cipher.
1887:
1864:Post-quantum cryptography
1534:
1456:Time/memory/data tradeoff
550:
546:
181:digital rights management
168:. It is the successor to
138:
24:
1854:Quantum key distribution
1844:Authenticated encryption
1699:Random number generation
1244:Whitening transformation
1849:Public-key cryptography
1839:Symmetric-key algorithm
1642:Key derivation function
1602:Cryptographic primitive
1595:Authentication protocol
1585:Outline of cryptography
1580:History of cryptography
1215:Confusion and diffusion
279:digital video recorders
201:symmetric key algorithm
1590:Cryptographic protocol
30:
1743:End-to-end encryption
1689:Cryptojacking malware
1508:Initialization vector
29:
1927:Broken block ciphers
1859:Quantum cryptography
1783:Trusted timestamping
1287:3-subset MITM attack
903:Intel Cascade Cipher
883:Hasty Pudding cipher
185:Secure Digital cards
172:algorithm (used for
1622:Cryptographic nonce
1326:Differential-linear
21:
1728:Subliminal channel
1712:Pseudorandom noise
1659:Key (cryptography)
1399:Differential-fault
617:internal mechanics
151:Cryptomeria cipher
31:
20:Cryptomeria cipher
1909:
1908:
1905:
1904:
1788:Key-based routing
1778:Trapdoor function
1649:Digital signature
1530:
1529:
1526:
1525:
1513:Mode of operation
1190:Lai–Massey scheme
367:978-3-642-03355-1
215:of 56 bits and a
147:
146:
1939:
1895:
1894:
1723:Insecure channel
1559:
1552:
1545:
1536:
1384:Power-monitoring
1225:Avalanche effect
933:Khufu and Khafre
586:security summary
575:
568:
561:
552:
548:
544:
539:
537:
536:
530:
519:
510:
508:
507:
501:
490:
473:
472:
470:
469:
460:. Archived from
454:
448:
447:
445:
444:
435:. Archived from
425:
423:
422:
412:
406:
404:
398:
389:
380:
379:
345:
259:boomerang attack
225:substitution box
141:boomerang attack
35:Feistel function
22:
1947:
1946:
1942:
1941:
1940:
1938:
1937:
1936:
1932:Feistel ciphers
1912:
1911:
1910:
1901:
1883:
1812:
1568:
1563:
1522:
1496:
1465:Standardization
1460:
1389:Electromagnetic
1341:Integral/Square
1298:Piling-up lemma
1282:Biclique attack
1271:EFF DES cracker
1255:
1249:
1180:Feistel network
1168:
793:CIPHERUNICORN-E
788:CIPHERUNICORN-A
720:
714:
647:
641:
595:
589:
579:
534:
532:
528:
517:
513:
505:
503:
499:
488:
484:
481:
476:
467:
465:
456:
455:
451:
442:
440:
427:
426:
420:
418:
414:
413:
409:
396:
391:
390:
383:
368:
347:
346:
339:
335:
267:
244:
197:
115:Feistel network
76:Related to
58:First published
38:
17:
12:
11:
5:
1945:
1943:
1935:
1934:
1929:
1924:
1914:
1913:
1907:
1906:
1903:
1902:
1900:
1899:
1888:
1885:
1884:
1882:
1881:
1876:
1874:Random numbers
1871:
1866:
1861:
1856:
1851:
1846:
1841:
1836:
1831:
1826:
1820:
1818:
1814:
1813:
1811:
1810:
1805:
1800:
1798:Garlic routing
1795:
1790:
1785:
1780:
1775:
1770:
1765:
1760:
1755:
1750:
1745:
1740:
1735:
1730:
1725:
1720:
1718:Secure channel
1715:
1709:
1708:
1707:
1696:
1691:
1686:
1681:
1679:Key stretching
1676:
1671:
1666:
1661:
1656:
1651:
1646:
1645:
1644:
1639:
1629:
1627:Cryptovirology
1624:
1619:
1614:
1612:Cryptocurrency
1609:
1604:
1599:
1598:
1597:
1587:
1582:
1576:
1574:
1570:
1569:
1564:
1562:
1561:
1554:
1547:
1539:
1532:
1531:
1528:
1527:
1524:
1523:
1521:
1520:
1515:
1510:
1504:
1502:
1498:
1497:
1495:
1494:
1489:
1484:
1479:
1474:
1468:
1466:
1462:
1461:
1459:
1458:
1453:
1448:
1443:
1438:
1433:
1428:
1423:
1418:
1413:
1408:
1403:
1402:
1401:
1396:
1391:
1386:
1381:
1371:
1366:
1361:
1356:
1348:
1343:
1338:
1331:Distinguishing
1328:
1323:
1322:
1321:
1316:
1311:
1301:
1291:
1290:
1289:
1284:
1274:
1263:
1261:
1251:
1250:
1248:
1247:
1237:
1232:
1227:
1222:
1217:
1212:
1207:
1202:
1197:
1195:Product cipher
1192:
1187:
1182:
1176:
1174:
1170:
1169:
1167:
1166:
1161:
1156:
1151:
1146:
1141:
1136:
1131:
1126:
1121:
1116:
1111:
1106:
1101:
1096:
1091:
1086:
1081:
1076:
1071:
1066:
1061:
1056:
1051:
1046:
1041:
1036:
1031:
1026:
1021:
1016:
1011:
1006:
1001:
996:
991:
986:
981:
976:
971:
966:
961:
950:
945:
940:
935:
930:
925:
920:
915:
910:
905:
900:
895:
890:
885:
880:
875:
870:
865:
860:
855:
850:
845:
840:
835:
830:
825:
823:Cryptomeria/C2
820:
815:
810:
805:
800:
795:
790:
785:
780:
775:
770:
765:
760:
755:
750:
745:
740:
735:
730:
724:
722:
716:
715:
713:
712:
707:
702:
697:
692:
687:
682:
677:
672:
667:
662:
657:
651:
649:
643:
642:
640:
639:
634:
629:
624:
610:
605:
599:
597:
591:
590:
580:
578:
577:
570:
563:
555:
541:
540:
511:
480:
477:
475:
474:
449:
407:
381:
366:
336:
334:
331:
275:broadcast flag
266:
263:
243:
240:
205:Feistel cipher
203:is a 10-round
196:
195:Cipher details
193:
153:, also called
145:
144:
136:
135:
128:
127:
124:
118:
117:
112:
108:
107:
104:
98:
97:
94:
88:
87:
83:
82:
77:
73:
72:
67:
63:
62:
59:
55:
54:
49:
45:
44:
40:
39:
32:
15:
13:
10:
9:
6:
4:
3:
2:
1944:
1933:
1930:
1928:
1925:
1923:
1922:Block ciphers
1920:
1919:
1917:
1898:
1890:
1889:
1886:
1880:
1879:Steganography
1877:
1875:
1872:
1870:
1867:
1865:
1862:
1860:
1857:
1855:
1852:
1850:
1847:
1845:
1842:
1840:
1837:
1835:
1834:Stream cipher
1832:
1830:
1827:
1825:
1822:
1821:
1819:
1815:
1809:
1806:
1804:
1801:
1799:
1796:
1794:
1793:Onion routing
1791:
1789:
1786:
1784:
1781:
1779:
1776:
1774:
1773:Shared secret
1771:
1769:
1766:
1764:
1761:
1759:
1756:
1754:
1751:
1749:
1746:
1744:
1741:
1739:
1736:
1734:
1731:
1729:
1726:
1724:
1721:
1719:
1716:
1713:
1710:
1705:
1702:
1701:
1700:
1697:
1695:
1692:
1690:
1687:
1685:
1682:
1680:
1677:
1675:
1672:
1670:
1669:Key generator
1667:
1665:
1662:
1660:
1657:
1655:
1652:
1650:
1647:
1643:
1640:
1638:
1635:
1634:
1633:
1632:Hash function
1630:
1628:
1625:
1623:
1620:
1618:
1615:
1613:
1610:
1608:
1607:Cryptanalysis
1605:
1603:
1600:
1596:
1593:
1592:
1591:
1588:
1586:
1583:
1581:
1578:
1577:
1575:
1571:
1567:
1560:
1555:
1553:
1548:
1546:
1541:
1540:
1537:
1533:
1519:
1516:
1514:
1511:
1509:
1506:
1505:
1503:
1499:
1493:
1490:
1488:
1485:
1483:
1480:
1478:
1475:
1473:
1470:
1469:
1467:
1463:
1457:
1454:
1452:
1449:
1447:
1444:
1442:
1439:
1437:
1434:
1432:
1429:
1427:
1424:
1422:
1419:
1417:
1414:
1412:
1411:Interpolation
1409:
1407:
1404:
1400:
1397:
1395:
1392:
1390:
1387:
1385:
1382:
1380:
1377:
1376:
1375:
1372:
1370:
1367:
1365:
1362:
1360:
1357:
1355:
1354:
1349:
1347:
1344:
1342:
1339:
1336:
1332:
1329:
1327:
1324:
1320:
1317:
1315:
1312:
1310:
1307:
1306:
1305:
1302:
1299:
1295:
1292:
1288:
1285:
1283:
1280:
1279:
1278:
1275:
1272:
1268:
1265:
1264:
1262:
1259:
1258:cryptanalysis
1252:
1245:
1241:
1240:Key whitening
1238:
1236:
1233:
1231:
1228:
1226:
1223:
1221:
1218:
1216:
1213:
1211:
1208:
1206:
1203:
1201:
1198:
1196:
1193:
1191:
1188:
1186:
1183:
1181:
1178:
1177:
1175:
1171:
1165:
1162:
1160:
1157:
1155:
1152:
1150:
1147:
1145:
1142:
1140:
1137:
1135:
1132:
1130:
1127:
1125:
1122:
1120:
1117:
1115:
1112:
1110:
1107:
1105:
1102:
1100:
1097:
1095:
1092:
1090:
1087:
1085:
1082:
1080:
1077:
1075:
1072:
1070:
1067:
1065:
1062:
1060:
1057:
1055:
1052:
1050:
1047:
1045:
1042:
1040:
1037:
1035:
1032:
1030:
1029:New Data Seal
1027:
1025:
1022:
1020:
1017:
1015:
1012:
1010:
1007:
1005:
1002:
1000:
997:
995:
992:
990:
987:
985:
982:
980:
977:
975:
972:
970:
967:
965:
962:
959:
955:
951:
949:
946:
944:
941:
939:
936:
934:
931:
929:
926:
924:
921:
919:
916:
914:
911:
909:
906:
904:
901:
899:
896:
894:
891:
889:
886:
884:
881:
879:
876:
874:
871:
869:
866:
864:
861:
859:
856:
854:
851:
849:
846:
844:
841:
839:
836:
834:
831:
829:
826:
824:
821:
819:
816:
814:
811:
809:
806:
804:
801:
799:
796:
794:
791:
789:
786:
784:
781:
779:
776:
774:
771:
769:
768:BEAR and LION
766:
764:
761:
759:
756:
754:
751:
749:
746:
744:
741:
739:
736:
734:
731:
729:
726:
725:
723:
717:
711:
708:
706:
703:
701:
698:
696:
693:
691:
688:
686:
683:
681:
678:
676:
673:
671:
668:
666:
663:
661:
658:
656:
653:
652:
650:
644:
638:
635:
633:
630:
628:
625:
622:
618:
614:
611:
609:
606:
604:
601:
600:
598:
592:
587:
583:
582:Block ciphers
576:
571:
569:
564:
562:
557:
556:
553:
549:
545:
531:on 2007-09-26
527:
523:
516:
512:
502:on 2011-07-18
498:
494:
487:
483:
482:
478:
464:on 2005-03-16
463:
459:
453:
450:
439:on 2005-03-06
438:
434:
430:
417:
411:
408:
402:
395:
388:
386:
382:
377:
373:
369:
363:
359:
355:
351:
344:
342:
338:
332:
330:
327:
325:
321:
317:
314:
309:
307:
303:
299:
296:
291:
289:
285:
280:
276:
272:
264:
262:
260:
256:
251:
249:
242:Cryptanalysis
241:
239:
237:
233:
228:
226:
222:
218:
214:
210:
206:
202:
194:
192:
190:
186:
182:
179:
175:
171:
167:
163:
160:
156:
152:
142:
137:
134:
133:cryptanalysis
129:
125:
123:
119:
116:
113:
109:
105:
103:
99:
95:
93:
89:
86:Cipher detail
84:
81:
78:
74:
71:
68:
64:
60:
56:
53:
50:
46:
41:
36:
28:
23:
1829:Block cipher
1674:Key schedule
1664:Key exchange
1654:Kleptography
1617:Cryptosystem
1566:Cryptography
1416:Partitioning
1374:Side-channel
1352:
1319:Higher-order
1304:Differential
1185:Key schedule
822:
533:. Retrieved
526:the original
521:
504:. Retrieved
497:the original
466:. Retrieved
462:the original
452:
441:. Retrieved
437:the original
432:
419:. Retrieved
410:
349:
328:
310:
292:
286:values from
268:
255:Lars Knudsen
252:
245:
229:
198:
162:block cipher
154:
150:
148:
131:Best public
66:Derived from
1817:Mathematics
1808:Mix network
1501:Utilization
1487:NSA Suite B
1472:AES process
1421:Rubber-hose
1359:Related-key
1267:Brute-force
646:Less common
238:and CPRM).
221:peer review
211:, it has a
159:proprietary
102:Block sizes
1916:Categories
1768:Ciphertext
1738:Decryption
1733:Encryption
1694:Ransomware
1451:Chi-square
1369:Rotational
1309:Impossible
1230:Block size
1124:Spectr-H64
948:Ladder-DES
943:Kuznyechik
888:Hierocrypt
758:BassOmatic
721:algorithms
648:algorithms
621:Triple DES
596:algorithms
535:2006-08-13
506:2009-02-13
479:References
468:2006-10-30
443:2006-10-30
421:2006-08-14
217:block size
1758:Plaintext
1426:Black-bag
1346:Boomerang
1335:Known-key
1314:Truncated
1139:Threefish
1134:SXAL/MBAL
1024:MultiSwap
979:MacGuffin
938:KN-Cipher
878:Grand Cru
833:CS-Cipher
813:COCONUT98
493:4C Entity
376:0302-9743
306:DVD-Audio
295:DVD-Audio
288:DVD-Audio
236:DVD-Video
232:DVD-Audio
189:DVD-Audio
178:CPRM/CPPM
174:DVD-Video
166:4C Entity
111:Structure
92:Key sizes
52:4C Entity
48:Designers
1897:Category
1803:Kademlia
1763:Codetext
1706:(CSPRNG)
1477:CRYPTREC
1441:Weak key
1394:Acoustic
1235:Key size
1079:Red Pike
898:IDEA NXT
778:Chiasmus
773:CAST-256
753:BaseKing
738:Akelarre
733:Adiantum
700:Skipjack
665:CAST-128
660:Camellia
608:Blowfish
213:key size
1573:General
1518:Padding
1436:Rebound
1144:Treyfer
1094:SAVILLE
1054:PRESENT
1044:NOEKEON
989:MAGENTA
984:Madryga
964:Lucifer
828:CRYPTON
637:Twofish
627:Serpent
491:. 1.0.
324:DVD-RAM
207:. Like
199:The C2
191:discs.
157:, is a
106:64 bits
96:56 bits
43:General
1684:Keygen
1482:NESSIE
1431:Davies
1379:Timing
1294:Linear
1254:Attack
1173:Design
1164:Zodiac
1129:Square
1104:SHACAL
1099:SC2000
1059:Prince
1039:Nimbus
1034:NewDES
1019:MULTI2
1009:MISTY1
952:LOKI (
928:KHAZAD
923:KeeLoq
918:KASUMI
913:Kalyna
798:CLEFIA
783:CIKS-1
743:Anubis
594:Common
374:
364:
313:DVD-VR
122:Rounds
1714:(PRN)
1364:Slide
1220:Round
1205:P-box
1200:S-box
1159:XXTEA
1119:Speck
1114:Simon
1109:SHARK
1089:SAFER
1074:REDOC
999:Mercy
958:89/91
908:Iraqi
873:G-DES
863:FEA-M
843:DES-X
808:Cobra
763:BATON
748:Ascon
728:3-Way
719:Other
529:(PDF)
518:(PDF)
500:(PDF)
489:(PDF)
397:(PDF)
333:Notes
284:S-box
248:S-box
1492:CNSA
1351:Mod
1277:MITM
1049:NUSH
1004:MESH
994:MARS
868:FROG
858:FEAL
838:DEAL
818:Crab
803:CMEA
710:XTEA
695:SEED
675:IDEA
670:GOST
655:ARIA
372:ISSN
362:ISBN
316:CPRM
298:CPPM
271:HDTV
187:and
149:The
61:2003
33:The
1446:Tau
1406:XSL
1210:SPN
1154:xmx
1149:UES
1084:S-1
1069:RC2
1014:MMB
893:ICE
848:DFC
705:TEA
690:RC6
685:RC5
680:LEA
632:SM4
613:DES
603:AES
354:doi
320:MKB
302:MKB
209:DES
170:CSS
80:CSS
70:DES
1918::
974:M8
969:M6
956:,
954:97
853:E2
619:,
520:.
431:.
399:.
384:^
370:.
360:.
340:^
234:,
155:C2
139:A
126:10
1558:e
1551:t
1544:v
1353:n
1337:)
1333:(
1300:)
1296:(
1273:)
1269:(
1260:)
1256:(
1246:)
1242:(
1064:Q
960:)
623:)
615:(
588:)
584:(
574:e
567:t
560:v
538:.
509:.
471:.
446:.
424:.
403:.
378:.
356::
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
