Eliminating Variables in Boolean Equation Systems

Systems of Boolean equations of low degree arise in a natural way when analyzing block ciphers. The cipher's round functions relate the secret key to auxiliary variables that are introduced by each successive round. In algebraic cryptanalysis, the attacker attempts to solve the resulting equation system in order to extract the secret key. In this paper we study algorithms for eliminating the auxiliary variables from these systems of Boolean equations. It is known that elimination of variables in general increases the degree of the equations involved. In order to contain computational complexity and storage complexity, we present two new algorithms for performing elimination while bounding the degree at $3$, which is the lowest possible for elimination. Further we show that the new algorithms are related to the well known \emph{XL} algorithm. We apply the algorithms to a downscaled version of the LowMC cipher and to a toy cipher based on the Prince cipher, and report on experimental results pertaining to these examples.Comment: 21 pages, 3 figures, Journal pape

Likelihood Estimation for Block Cipher Keys

In this paper, we give a general framework for the analysis of block ciphers using the statistical technique of likelihood estimation. We show how various recent successful cryptanalyses of block ciphers can be regarded in this framework. By analysing the SAFER block cipher in this framework we expose a cryptographic weakness of that cipher

Hypothesis testing and advanced distinguishers in differential cryptanalysis of block ciphers

Distinguishing distributions is a major part during cryptanalysis of symmetric block ciphers. The goal of the cryptanalyst is to distinguish two distributions; one that characterizes the number of certain events which occur totally at random and another one that characterizes same type of events but due to propagation inside the cipher. This can be realized as a hypothesis testing problem, where a source is used to generate independent random samples in some given finite set with some distribution P, which is either R or W, corresponding to propagation inside the cipher or a random permutation respectively. Distinguisher’s goal is to determine which one is most likely the one which was used to generate the sample. In this paper, we study a general hypothesis-testing based approach to construct statistical distinguishers using truncated differential properties. The observable variable in our case is the expected number of pairs that follow a certain truncated differential property of the form ΔX → ΔY after a certain number of rounds. As a proof of concept, we apply this methodology to GOST and SIMON 64/128 block ciphers and present distinguishers on 20 and 22 rounds respectivel

Security in 1-wire system : case study : Home automation /

La automatización de viviendas es un campo de la tecnología que siempre se encuentra en crecimiento, desarrollando sistemas que reducen los costos de los dispositivos. Por esto, se ha logrado que la domótica esté al alcance de todos. Desde la aparición de productos que permiten crear tu propio sistema domótico, y la reciente popularidad que ha tenido el Internet de las cosas (IoT), la industria de la automatización de viviendas ha cambiado mucho. Tener la habilidad de controlar dispositivos a través de Internet crea numerosas vulnerabilidades al sistema, permitiendo a un atacante controlar y ver todo lo que ocurre. En este trabajo se estudia un sistema domótico que usa 1-wire como protocolo de comunicación. Originalmente, el sistema carece de seguridad. Nuestro objetivo es implementar seguridad de la información a través de la encriptación de los comandos del sistema, para así poder proveer Confidencialidad, Integridad y Disponibilidad (CIA). Los resultados muestran no sólo la implementación exitosa del módulo criptográfico dentro del sistema domótico para proveer seguridad, sino que también se demuestra que añadir este proceso no afectaría el modo en que el usuario maneja sus dispositivos.Incluye referencias bibliográfica

Bayesian Modeling for Differential Cryptanalysis of Block Ciphers: a DES instance

Encryption algorithms based on block ciphers are among the most widely adopted solutions for providing information security. Over the years, a variety of methods have been proposed to evaluate the robustness of these algorithms to different types of security attacks. One of the most effective analysis techniques is differential cryptanalysis, whose aim is to study how variations in the input propagate on the output. In this work we address the modeling of differential attacks to block cipher algorithms by defining a Bayesian framework that allows a probabilistic estimation of the secret key. In order to prove the validity of the proposed approach, we present as case study a differential attack to the Data Encryption Standard (DES) which, despite being one of the methods that has been most thoroughly analyzed, is still of great interest to the scientific community since its vulnerabilities may have implications on other ciphers

Polytopic Cryptanalysis

Standard differential cryptanalysis uses statistical dependencies between the difference of two plaintexts and the difference of the respective two ciphertexts to attack a cipher. Here we introduce polytopic cryptanalysis which considers interdependencies between larger sets of texts as they traverse through the cipher. We prove that the methodology of standard differential cryptanalysis can unambiguously be extended and transferred to the polytopic case including impossible differentials. We show that impossible polytopic transitions have generic advantages over impossible differentials. To demonstrate the practical relevance of the generalization, we present new low-data attacks on round-reduced DES and AES using impossible polytopic transitions that are able to compete with existing attacks, partially outperforming these

Using Local Reduction for the Experimental Evaluation of the Cipher Security

Evaluating the strength of block ciphers against algebraic attacks can be difficult. The attack methods often use different metrics, and experiments do not scale well in practice. We propose a methodology that splits the algebraic attack into a polynomial part (local reduction), and an exponential part (guessing), respectively. The evaluator uses instances with known solutions to estimate the complexity of the attacks, and the response to changing parameters of the problem (e.g. the number of rounds). Although the methodology does not provide a positive answer ("the cipher is secure"), it can be used to construct a negative test (reject weak ciphers), or as a tool of qualitative comparison of cipher designs. Potential applications in other areas of computer science are discussed in the concluding parts of the article