Cryptomeria cipher

Cryptomeria cipher
	Feistel network
Rounds	10
Best public cryptanalysis
	A boomerang attack breaks all 10 rounds in 248 time with known S-box, or 253.5 with an unknown S-box, using 244 adaptively chosen plaintexts/ciphertexts. [1]

The Cryptomeria cipher, also called C2, is a

Secure Digital cards and DVD-Audio

discs.

Cipher details

The C2

substitution box

(S-box), which are only available under a license from the 4C Entity.

The 4C Entity licenses a different set of S-boxes for each application (such as DVD-Audio, DVD-Video and CPRM).^[2]

Cryptanalysis

In 2008, an attack was published against a reduced 8-round version of Cryptomeria to discover the S-box in a chosen-key scenario. In a practical experiment, the attack succeeded in recovering parts of the S-box in 15 hours of CPU time, using 2 plaintext-ciphertext pairs.^[2]

A paper by Julia Borghoff,

Lars Knudsen, Gregor Leander and Krystian Matusiewicz in 2009 breaks the full-round cipher in three different scenarios; it presents a 2²⁴ time complexity attack to recover the S-box in a chosen-key scenario, a 2⁴⁸ boomerang attack to recover the key with a known S-box using 2⁴⁴ adaptively chosen plaintexts/ciphertexts, and a 2^53.5 attack when both the key and S-box are unknown.^[1]

Distributed brute force cracking effort

Following an announcement by Japanese HDTV broadcasters that they would start broadcasting programs with the copy-once broadcast flag starting with 2004-04-05, a distributed Cryptomeria cipher brute force cracking effort was launched on 2003-12-21. To enforce the broadcast flag, digital video recorders employ CPRM-compatible storage devices, which the project aimed to circumvent. However, the project was ended and declared a failure on 2004-03-08 after searching the entire 56-bit keyspace, failing to turn up a valid key for unknown reasons.^[3] Because the attack was based on S-box values from DVD-Audio, it was suggested that CPRM may use different S-boxes.^[4]

Another brute force attack to recover DVD-Audio CPPM device keys was mounted on 2009-05-06. The attack was intended to find any of 24570 secret device keys by testing MKB file from Queen "The Game" DVD-Audio disc. On 2009-10-20 such key for column 0 and row 24408 was discovered.

The similar brute force attack to recover

CPRM device keys was mounted on 2009-10-20. The attack was intended to find any of 3066 secret device keys by testing MKB from Panasonic LM-AF120LE DVD-RAM

disc. On 2009-11-27 such key for column 0 and row 2630 was discovered.

By now the CPPM/CPRM protection scheme is deemed unreliable.

Notes

^
ISSN 0302-9743
.

^

Darmstadt University of Technology

. (Abstract is in German, rest is in English)

^ "Distributed C2 Brute Force Attack: Status Page". Retrieved 2006-08-14.
"C2 Brute Force Crack - team timecop". Archived version of cracking team's English web site. Archived from the original on 2005-03-06. Retrieved 2006-10-30.
^ "Discussion about the attack (Archived)". Archived from the original on 2005-03-16. Retrieved 2006-10-30.

References

"C2 Block Cipher Specification" (PDF). 1.0. 4C Entity, LLC. 2003-01-17. Archived from the original (PDF) on 2011-07-18. Retrieved 2009-02-13.
"Software Obfuscation from Crackers' Viewpoint" (PDF). Proceedings of the IASTED International Conference. Puerto Vallarta, Mexico. 2006-01-23. Archived from the original (PDF) on 2007-09-26. Retrieved 2006-08-13.

[borghoff-et-al-1] 
ISSN 0302-9743
.

[algebraic-attacks-2] 
Darmstadt University of Technology
. (Abstract is in German, rest is in English)

[distributed_crack-3] "Distributed C2 Brute Force Attack: Status Page". Retrieved 2006-08-14.
"C2 Brute Force Crack - team timecop". Archived version of cracking team's English web site. Archived from the original on 2005-03-06. Retrieved 2006-10-30.

[4] "Discussion about the attack (Archived)". Archived from the original on 2005-03-16. Retrieved 2006-10-30.

[2]

[1]

[3]

[4]