This Article 
 Bibliographic References 
 Add to: 
Cryptanalysis with COPACOBANA
November 2008 (vol. 57 no. 11)
pp. 1498-1513
Tim Güneysu, Ruhr-Universität Bochum, Bochum
Timo Kasper, Ruhr-Universität Bochum, Bochum
Martin Novotný, Ruhr-Universität Bochum, Bochum
Christof Paar, Ruhr-Universität Bochum, Bochum
Andy Rupp, Ruhr-Universität Bochum, Bochum
Cryptanalysis of ciphers usually involves massive computations. The security parameters of cryptographic algorithms are commonly chosen so that attacks are infeasible with available computing resources. This contribution presents a variety of cryptanalytical applications utilizing the COPACOBANA (Cost-Optimized Parallel Code Breaker) machine which is a high-performance, low-cost cluster consisting of 120 Field Programmable Gate Arrays (FPGA). COPACOBANA appears to be the only such reconfigurable parallel FPGA machine optimized for code breaking tasks reported in the open literature. Depending on the actual algorithm, the parallel hardware architecture can outperform conventional computers by several orders of magnitude. In this work, we will focus on novel implementations of cryptanalytical algorithms, utilizing the impressive computational power of COPACOBANA. We describe various exhaustive key search attacks on symmetric ciphers and demonstrate an attack on a security mechanism employed in the electronic passport. Furthermore, we describe time-memory tradeoff techniques which can, e.g., be used for attacking the popular A5/1 algorithm used in GSM voice encryption. In addition, we introduce efficient implementations of more complex cryptanalysis on asymmetric cryptosystems, e.g., Elliptic Curve Cryptosystems (ECC) and number co-factorization for RSA.

[1] Standards for Efficient Cryptography—SEC 1: Elliptic Curve Cryptography, http://www.secg.orgsecg_docs.htm, Sept. 2000.
[2] S. Babbage, “A Space/Time Tradeoff in Exhaustive Search Attacks on Stream Ciphers,” Proc. European Convention Security and Detection, vol. 408, 1995.
[3] E. Barkan, E. Biham, and A. Shamir, “Rigorous Bounds on Cryptanalytic Time/Memory Tradeoffs,” Proc. 26th Ann. Int'l Cryptology Conf. (CRYPTO '06), pp. 1-21, 2006.
[4] A. Biryukov and A. Shamir, “Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers,” Proc. Sixth Int'l Conf. Theory and Application of Cryptology and Information Security (ASIACRYPT '00), pp. 1-13, 2000.
[5] A. Biryukov, A. Shamir, and D. Wagner, “Real Time Cryptanalysis of A5/1 on a PC,” Proc. Eighth Int'l Workshop Fast Software Encryption (FSE '00), pp. 1-18, 2001.
[6] D. Carluccio, K. Lemke-Rust, C. Paar, and A.-R. Sadeghi, “E-Passport: The Global Traceability or How to Feel Like an UPS Package,” Proc. Seventh Int'l Workshop Information Security Applications (WISA '06), pp. 391-404, 2006.
[7] Certicom Corp., Certicom ECC Challenges, http:/, 2005.
[8] D. Denning, Cryptography and Data Security. Addison-Wesley, 1982.
[9] G. de Meulenaer, F. Gosset, M.M. de Dormale, and J.-J. Quisqater, “Integer Factorization Based on Elliptic Curve Method: Towards Better Exploitation of Reconfigurable Hardware,” Proc. 15th Ann. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM '07), pp. 197-206, 2007.
[10] W. Diffie and M.E. Hellman, “Exhaustive Cryptanalysis of the NBS Data Encryption Standard,” Computer, vol. 10, no. 6, pp. 74-84, June 1977.
[11] Electronic Frontier Foundation, Cracking DES: Secrets of Encryption Research, Wiretap Politics & Chip Design. O'Reilly & Associates, July 1998.
[12] Germany Fed. Office for Information Security, Advanced Security Mechanisms for Machine Readable Travel Documents—Extended Access Control, , 2007.
[13] T. Finke and H. Kelter, “Radio Frequency Identification—Abhörmöglichkeiten der Kommunikation zwischen Lesegerät und Transponder am Beispiel eines ISO14443-Systems,” , 2007.
[14] K. Finkenzeller, RFID-Handbook. John Wiley & Sons, 2003.
[15] K. Gaj, S. Kwon, P. Baier, P. Kohlbrenner, H. Le, M. Khaleeluddin, and R. Bachimanchi, “Implementing the Elliptic Curve Method ofFactoring in Reconfigurable Hardware,” Proc. Eighth Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES'06), pp. 119-133, 2006.
[16] T. Gueneysu, C. Paar, and J. Pelzl, “Attacking Elliptic Curve Cryptosystems with Special-Purpose Hardware,” Proc. 15th ACM/SIGDA Int'l Symp. Field Programmable Gate Arrays (FPGA '07), pp.207-215, 2007.
[17] G.P. Hancke, “Practical Attacks on Proximity Identification Systems (Short Paper),” Proc. IEEE Symp. Security and Privacy (SP '06), pp. 328-333, 2006.
[18] D.R. Hankerson, A.J. Menezes, and S.A. Vanstone, Guide to Elliptic Curve Cryptography. Springer, 2004.
[19] M.E. Hellman, “A Cryptanalytic Time-Memory Trade-Off,” IEEE Trans. Information Theory, vol. 26, pp. 401-406, 1980.
[20] J.-H. Hoepman, E. Hubbers, B. Jacobs, M. Oostdijk, and R. Wichers Schreur, “Crossing Borders: Security and Privacy Issues of the European E-passport,” Proc. First Int'l Workshop Security (IWSEC '06), pp. 152-167, 2006.
[21] ICAO, “Machine Readable Travel Documents, PKI for Machine Readable Travel Documents Offering ICC Read-Only Access,” technical report, http:/, 2004.
[22] ICAO, Machine Readable Travel Documents, Supplement to Doc9303-Part1-Sixth Edition, 2005.
[23] ICAO, Machine Readable Travel Documents, Doc 9303, Part 1 Machine Readable Passports, fifth ed., 2003.
[24] ISO/IEC 14443, Identification Cards—Contactless Integrated Circuit(s) Cards—Proximity Cards—Part 1-4,, 2001.
[25] S. Vaudenay, J. Monnerat, and M. Vuagnoux, “About Machine-Readable Travel Documents,” Proc. Third Conf. RFID Security (RFIDSec '07), pp. 15-28, 2007.
[26] A. Juels, D. Molnar, and D. Wagner, “Security and Privacy Issues in E-passports,” Proc. First Int'l Conf. Security and Privacy for Emerging Areas in Comm. Networks (SecureComm '05), pp. 74-88, 2005.
[27] T. Kasper, D. Carluccio, and C. Paar, “An Embedded System for Practical Security Analysis of Contactless Smartcards,” Proc. Workshop Information Theory and Practice (WISTP '07), pp.150-160, 2007.
[28] G.S. Kc and P.A. Karger, “Security and Privacy Issues in Machine Readable Travel Documents (MRTDs),” RC 23575, IBM T.J. Watson Research Labs, Apr. 2005.
[29] S. Kumar, C. Paar, J. Pelzl, G. Pfeiffer, and M. Schimmler, “Breaking Ciphers with COPACOBANA—A Cost-Optimized Parallel Code Breaker,” Proc. Eighth Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '06), pp. 101-118, 2006.
[30] H. Lenstra, “Factoring Integers with Elliptic Curves,” Annals of Math., vol. 126, pp. 649-673, 1987.
[31] Y. Liu, T. Kasper, K. Lemke-Rust, and C. Paar, “E-Passport: Cracking Basic Access Control Keys,” Proc. On the Move to Meaningful Internet Systems Workshops (OTM '07) Part II, pp.1531-1547, 2007.
[32] Int'l Business Machines, IBM Research: BlueGene,, 2007.
[33] N. Mentens, L. Batina, B. Prenel, and I. Verbauwhede, “Time-Memory Trade-Off Attack on FPGA Platforms: UNIX Password Cracking,” Proc. Int'l Workshop Applied Reconfigurable Computing (ARC '06), pp. 323-334, 2006.
[34] ICAO TAG MRTD/NTWG, “Biometrics Deployment of Machine Readable Travel Documents,” technical report, 2004.
[35] NIST FIPS PUB 46-3, Data Encryption Standard, Fed. Information Processing Standards, Nat'l Bureau of Standards, US Dept. of Commerce, Jan. 1977.
[36] P. Oechslin, “Making a Faster Cryptanalytic Time-Memory Trade-Off,” Proc. 23rd Ann. Int'l Cryptology Conf. (CRYPTO '03), pp. 617-630, 2003.
[37] Nat'l Inst. of Standards and Tech nology, FIPS 180-3 Secure HashStandard (Draft), , 2007.
[38] P. Gutmann, Norton's InDiskreet, posting to sci.crypt newsgroup, Nov. 1993.
[39] P. Kocher, Norton Diskreet (Security Overview), posting to sci.crypt newsgroup, Nov. 1993.
[40] J.M. Pollard, “Monte Carlo Methods for Index Computation mod $p$ ,” Math. Computation, vol. 32, no. 143, pp. 918-924, July 1978.
[41] R.L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Comm. ACM, vol. 21, no. 2, pp. 120-126, Feb. 1978.
[42] H. Robroch, “ePassport Privacy Attack,” presentation at Cards Asia Singapore, http:/, Apr. 2006.
[43] G. Rouvroy, F.-X. Standaert, J.-J. Quisquater, and J.-D. Legat, “Design Strategies and Modified Descriptions to Optimize Cipher FPGA Implementations: Fast and Compact Results for DES and Triple-DES,” Proc. 11th ACM/SIGDA Int'l Symp. Field Programmable Gate Arrays (FPGA '03), p. 247, 2003.
[44] M. Šimka, J. Pelzl, T. Kleinjung, J. Franke, C. Priplata, C. Stahlke, M. Drutarovský, V. Fischer, and C. Paar, “Hardware Factorization Based on Elliptic Curve Method,” Proc. 13th Ann. IEEE Symp. Field-Programmable Custom Computing Machines (FCCM '05), pp.107-116, 2005.
[45] F. Standaert, G. Rouvroy, J. Quisquater, and J. Legat, “A Time-Memory Tradeoff Using Distinguished Points: New Analysis & FPGA Results,” Proc. Fourth Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '02), pp. 596-611, 2002.
[46] Univ. of California, Berkeley, Seti@Home Website, http:/, 2005.
[47] P.C. van Oorschot and M.J. Wiener, “Parallel Collision Search with Cryptanalytic Applications,” J. Cryptology, vol. 12, no. 1, pp.1-28, 1999.
[48] Xilinx, Spartan-3 FPGA Family: Complete Data Sheet, DS099, http:/, Jan. 2005.

Index Terms:
Special-Purpose and Application-Based Systems, Reconfigurable hardware, Cryptanalysis
Tim Güneysu, Timo Kasper, Martin Novotný, Christof Paar, Andy Rupp, "Cryptanalysis with COPACOBANA," IEEE Transactions on Computers, vol. 57, no. 11, pp. 1498-1513, Nov. 2008, doi:10.1109/TC.2008.80
Usage of this product signifies your acceptance of the Terms of Use.