22 research outputs found

    Application of Fault Analysis to Some Cryptographic Standards

    Get PDF
    Cryptanalysis methods can be classified as pure mathematical attacks, such as linear and differential cryptanalysis, and implementation dependent attacks such as power analysis and fault analysis. Pure mathematical attacks exploit the mathematical structure of the cipher to reveal the secret key inside the cipher. On the other hand, implementation dependent attacks assume that the attacker has access to the cryptographic device to launch the attack. Fault analysis is an example of a side channel attack in which the attacker is assumed to be able to induce faults in the cryptographic device and observe the faulty output. Then, the attacker tries to recover the secret key by combining the information obtained from the faulty and the correct outputs. Even though fault analysis attacks may require access to some specialized equipment to be able to insert faults at specific locations or at specific times during the computation, the resulting attacks usually have time and memory complexities which are far more practical as compared to pure mathematical attacks. Recently, several AES-based primitives were approved as new cryptographic standards throughout the world. For example, Kuznyechik was approved as the standard block cipher in Russian Federation, and Kalyna and Kupyna were approved as the standard block cipher and the hash function, respectively, in Ukraine. Given the importance of these three new primitives, in this thesis, we analyze their resistance against fault analysis attacks. Firstly, we modified a differential fault analysis (DFA) attack that was applied on AES and applied it on Kuzneychik. Application of DFA on Kuznyechik was not a trivial task because of the linear transformation layer used in the last round of Kuznyechik. In order to bypass the effect of this linear transformation operation, we had to use an equivalent representation of the last round which allowed us to recover the last two round keys using a total of four faults and break the cipher. Secondly, we modified the attack we applied on Kuzneychik and applied it on Kalyna. Kalyna has a complicated key scheduling and it uses modulo 264 addition operation for applying the first and last round keys. This makes Kalyna more resistant to DFA as com- pared to AES and Kuznyechik but it is still practically breakable because the number of key candidates that can be recovered by DFA can be brute-forced in a reasonable time. We also considered the case where the SBox entries of Kalyna are not known and showed how to recover a set of candidates for the SBox entries. Lastly, we applied two fault analysis attacks on Kupyna hash function. In the first case, we assumed that the SBoxes and all the other function parameters are known, and in the second case we assumed that the SBoxes were kept secret and attacked the hash function accordingly. Kupyna can be used as the underlying hash function for the construction of MAC schemes such as secret IV, secret prefix, HMAC or NMAC. In our analysis, we showed that secret inputs of Kupyna can be recovered using fault analysis. To conclude, we analyzed two newly accepted standard ciphers (Kuznyechik, Kalyna) and one newly approved standard hash function (Kupyna) for their resistance against fault attacks. We also analyzed Kalyna and Kupyna with the assumption that these ciphers can be deployed with secret user defined SBoxes in order to increase their security

    Cryptanalysis of Some AES-based Cryptographic Primitives

    Get PDF
    Current information security systems rely heavily on symmetric key cryptographic primitives as one of their basic building blocks. In order to boost the efficiency of the security systems, designers of the underlying primitives often tend to avoid the use of provably secure designs. In fact, they adopt ad hoc designs with claimed security assumptions in the hope that they resist known cryptanalytic attacks. Accordingly, the security evaluation of such primitives continually remains an open field. In this thesis, we analyze the security of two cryptographic hash functions and one block cipher. We primarily focus on the recent AES-based designs used in the new Russian Federation cryptographic hashing and encryption suite GOST because the majority of our work was carried out during the open research competition run by the Russian standardization body TC26 for the analysis of their new cryptographic hash function Streebog. Although, there exist security proofs for the resistance of AES- based primitives against standard differential and linear attacks, other cryptanalytic techniques such as integral, rebound, and meet-in-the-middle attacks have proven to be effective. The results presented in this thesis can be summarized as follows: Initially, we analyze various security aspects of the Russian cryptographic hash function GOST R 34.11-2012, also known as Streebog or Stribog. In particular, our work investigates five security aspects of Streebog. Firstly, we present a collision analysis of the compression function and its in- ternal cipher in the form of a series of modified rebound attacks. Secondly, we propose an integral distinguisher for the 7- and 8-round compression function. Thirdly, we investigate the one wayness of Streebog with respect to two approaches of the meet-in-the-middle attack, where we present a preimage analysis of the compression function and combine the results with a multicollision attack to generate a preimage of the hash function output. Fourthly, we investigate Streebog in the context of malicious hashing and by utilizing a carefully tailored differential path, we present a backdoored version of the hash function where collisions can be generated with practical complexity. Lastly, we propose a fault analysis attack which retrieves the inputs of the compression function and utilize it to recover the secret key when Streebog is used in the keyed simple prefix and secret-IV MACs, HMAC, or NMAC. All the presented results are on reduced round variants of the function except for our analysis of the malicious version of Streebog and our fault analysis attack where both attacks cover the full round hash function. Next, we examine the preimage resistance of the AES-based Maelstrom-0 hash function which is designed to be a lightweight alternative to the ISO standardized hash function Whirlpool. One of the distinguishing features of the Maelstrom-0 design is the proposal of a new chaining construction called 3CM which is based on the 3C/3C+ family. In our analysis, we employ a 4-stage approach that uses a modified technique to defeat the 3CM chaining construction and generates preimages of the 6-round reduced Maelstrom-0 hash function. Finally, we provide a key recovery attack on the new Russian encryption standard GOST R 34.12- 2015, also known as Kuznyechik. Although Kuznyechik adopts an AES-based design, it exhibits a faster diffusion rate as it employs an optimal diffusion transformation. In our analysis, we propose a meet-in-the-middle attack using the idea of efficient differential enumeration where we construct a three round distinguisher and consequently are able to recover 16-bytes of the master key of the reduced 5-round cipher. We also present partial sequence matching, by which we generate, store, and match parts of the compared parameters while maintaining negligible probability of matching error, thus the overall online time complexity of the attack is reduced

    Partial Sums Meet FFT: Improved Attack on 6-Round AES

    Get PDF
    The partial sums cryptanalytic technique was introduced in 2000 by Ferguson et al., who used it to break 6-round AES with time complexity of 2522^{52} S-box computations -- a record that has not been beaten ever since. In 2014, Todo and Aoki showed that for 6-round AES, partial sums can be replaced by a technique based on the Fast Fourier Transform (FFT), leading to an attack with a comparable complexity. In this paper we show that the partial sums technique can be combined with an FFT-based technique, to get the best of the two worlds. Using our combined technique, we obtain an attack on 6-round AES with complexity of about 246.42^{46.4} additions. We fully implemented the attack experimentally, along with the partial sums attack and the Todo-Aoki attack, and confirmed that our attack improves the best known attack on 6-round AES by a factor of more than 32. We expect that our technique can be used to significantly enhance numerous attacks that exploit the partial sums technique. To demonstrate this, we use our technique to improve the best known attack on 7-round Kuznyechik by a factor of more than 80, and to reduce the complexity of the best known attack on the full MISTY1 from 269.52^{69.5} to 2672^{67}

    Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs

    Get PDF
    We devise the first closed formula for the number of rounds of a blockcipher with secret components so that these components can be revealed using multiset, algebraic-degree, or division-integral properties, which in this case are equivalent. Using the new result, we attack 7 (out of 9) rounds of Kuznyechik, the recent Russian blockcipher standard, thus halving its security margin. With the same technique we attack 6 (out of 8) rounds of Khazad, the legacy 64-bit blockcipher. Finally, we show how to cryptanalyze and find a decomposition of generic SPN construction for which the inner-components are secret. All the attacks are the best to date

    Cryptanalysis of Block Ciphers with New Design Strategies

    Get PDF
    Block ciphers are among the mostly widely used symmetric-key cryptographic primitives, which are fundamental building blocks in cryptographic/security systems. Most of the public-key primitives are based on hard mathematical problems such as the integer factorization in the RSA algorithm and discrete logarithm problem in the DiffieHellman. Therefore, their security are mathematically proven. In contrast, symmetric-key primitives are usually not constructed based on well-defined hard mathematical problems. Hence, in order to get some assurance in their claimed security properties, they must be studied against different types of cryptanalytic techniques. Our research is dedicated to the cryptanalysis of block ciphers. In particular, throughout this thesis, we investigate the security of some block ciphers constructed with new design strategies. These new strategies include (i) employing simple round function, and modest key schedule, (ii) using another input called tweak rather than the usual two inputs of the block ciphers, the plaintext and the key, to instantiate different permutations for the same key. This type of block ciphers is called a tweakable block cipher, (iii) employing linear and non-linear components that are energy efficient to provide low energy consumption block ciphers, (iv) employing optimal diffusion linear transformation layer while following the AES-based construction to provide faster diffusion rate, and (v) using rather weak but larger S-boxes in addition to simple linear transformation layers to provide provable security of ARX-based block ciphers against single characteristic differential and linear cryptanalysis. The results presented in this thesis can be summarized as follows: Initially, we analyze the security of two lightweight block ciphers, namely, Khudra and Piccolo against Meet-in-the-Middle (MitM) attack based on the Demirci and Selcuk approach exploiting the simple design of the key schedule and round function. Next, we investigate the security of two tweakable block ciphers, namely, Kiasu-BC and SKINNY. According to the designers, the best attack on Kiasu-BC covers 7 rounds. However, we exploited the tweak to present 8-round attack using MitM with efficient enumeration cryptanalysis. Then, we improve the previous results of the impossible differential cryptanalysis on SKINNY exploiting the tweakey schedule and linear transformation layer. Afterwards, we study the security of new low energy consumption block cipher, namely, Midori128 where we present the longest impossible differential distinguishers that cover complete 7 rounds. Then, we utilized 4 of these distinguishers to launch key recovery attack against 11 rounds of Midori128 to improve the previous results on this cipher using the impossible differential cryptanalysis. Then, using the truncated differential cryptanalysis, we are able to attack 13 rounds of Midori128 utilizing a 10-round differential distinguisher. We also analyze Kuznyechik, the standard Russian federation block cipher, against MitM with efficient enumeration cryptanalysis where we improve the previous results on Kuznyechik, using MitM attack with efficient enumeration, by presenting 6-round attack. Unlike the previous attack, our attack exploits the exact values of the coefficients of the MDS transformation that is used in the cipher. Finally, we present key recovery attacks using the multidimensional zero-correlation cryptanalysis against SPARX-128, which follows the long trail design strategy, to provide provable security of ARX-based block ciphers against single characteristic differential and linear cryptanalysis

    Exponential S-Boxes: a Link Between the S-Boxes of BelT and Kuznyechik/Streebog

    Get PDF
    The block cipher Kuznyechik and the hash function Streebog were recently standardized by the Russian Federation. These primitives use a common 8-bit S-Box, denote

    A Meet-in-the-Middle Attack on Reduced-Round Kalyna-b/2b

    Get PDF
    Kalyna is an SPN-based block cipher that was selected during Ukrainian national public cryptographic competition (2007-2010), and its slight modification was approved as the new encryption standard of Ukraine (DSTU 7624:2014) in 2015. The cipher supports a block size and a key length of 128, 256 and 512 bits where the size of the key can be either double or equal to that of the block length. According to its designers, the cipher provides strength to several cryptanalytic methods after the fifth and sixth rounds of the 128-bit and 256-bit block versions, respectively. In this paper, we present a meet-in-the-middle attack on the 7-round reduced versions of Kalyna where the key size is double the block length. Our attack is based on the differential enumeration approach where we carefully deploy a four round distinguisher in the first four rounds to bypass the effect of the carry bits resulting from the pre-whitening modular key addition. We also exploit the linear relation between consecutive odd and even indexed round keys which enables us to attack seven rounds and recover all the round keys incrementally. The attack on Kalyna with 128-bit block has a data complexity of 2892^{89} chosen plaintexts, time complexity of 2230.22^{230.2} and a memory complexity of 2202.642^{202.64}. The data, time and memory complexities of our attack on Kalyna with 256-bit block are 22332^{233}, 2502.22^{502.2} and 21702^{170}, respectively

    MILP-aided Cryptanalysis of Some Block Ciphers

    Get PDF
    Symmetric-key cryptographic primitives, such as block ciphers, play a pivotal role in achieving confidentiality, integrity, and authentication – which are the core services of information security. Since symmetric-key primitives do not rely on well-defined hard mathematical problems, unlike public-key primitives, there are no formal mathematical proofs for the security of symmetric-key primitives. Consequently, their security is guaranteed only by measuring their immunity against a set of predefined cryptanalysis techniques, e.g., differential, linear, impossible differential, and integral cryptanalysis. The attacks based on cryptanalysis techniques usually include searching in an exponential space of patterns, and for a long time, cryptanalysts have performed this task manually. As a result, it has been hard, time-consuming, and an error-prone task. Indeed, the need for automatic tools becomes more pressing. This thesis is dedicated to investigating the security of symmetric-key cryptographic primitives, precisely block ciphers. One of our main goals is to utilize Mixed Integer Linear Programming (MILP) to automate the evaluation and the validation of block cipher security against a wide range of cryptanalysis techniques. Our contributions can be summarized as follows. First, we investigate the security of two recently proposed block ciphers, CRAFT and SPARX-128/256 against two variants of differential cryptanalysis. We utilize the simple key schedule of CRAFT to construct several repeatable 2-round related-key differential characteristics with the maximum differential probability. Consequently, we are able to mount a practical key recovery attack on full-round CRAFT in the related-key setting. In addition, we use impossible differential cryptanalysis to assess SPARX-128/256 that is provable secure against single-trail differential and linear cryptanalysis. As a result, we can attack 24 rounds similar to the internal attack presented by the designers. However, our attack is better than the integral attack regarding the time and memory complexities. Next, we tackle the limitation of the current Mixed Integer Linear Programming (MILP) model to automate the search for differential distinguishers through modular additions. The current model assumes that the inputs to the modular addition and the consecutive rounds are independent. However, we show that this assumption does not necessarily hold and the current model might lead to invalid attacks. Accordingly, we propose a more accurate MILP model that takes into account the dependency between consecutive modular additions. As a proof of the validity and efficiency of our model, we use it to analyze the security of Bel-T cipher—the standard of the Republic of Belarus. Afterwards, we shift focus to another equally important cryptanalysis technique, i.e., integral cryptanalysis using the bit-based division property (BDP). We present MILP models to automate the search for the BDP through modular additions with a constant and modular subtractions. Consequently, we assess the security of Bel-T block cipher against the integral attacks. Next, we analyze the security of the tweakable block cipher T-TWINE. We present key recovery attacks on 27 and 28 rounds of T-TWINE-80 and T-TWINE-128, respectively. Finally, we address the limitation of the current MILP model for the propagation of the bit-based division property through large non-bit-permutation linear layers. The current models are either inaccurate, which might lead to missing some balanced bits, or inefficient in terms of the number of constraints. As a proof of the effectiveness of our approach, we improve the previous 3- and 4-round integral distinguishers of the Russian encryption standard—Kuznyechik, and the 4-round one of PHOTON’s internal permutation (P288). We also report a 4-round integral distinguisher for the Ukrainian standard Kalyna and a 5-round integral distinguisher for PHOTON’s internal permutation (P288)

    Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms

    Get PDF
    In this thesis, I present the research I did with my co-authors on several aspects of symmetric cryptography from May 2013 to December 2016, that is, when I was a PhD student at the university of Luxembourg under the supervision of Alex Biryukov. My research has spanned three different areas of symmetric cryptography. In Part I of this thesis, I present my work on lightweight cryptography. This field of study investigates the cryptographic algorithms that are suitable for very constrained devices with little computing power such as RFID tags and small embedded processors such as those used in sensor networks. Many such algorithms have been proposed recently, as evidenced by the survey I co-authored on this topic. I present this survey along with attacks against three of those algorithms, namely GLUON, PRINCE and TWINE. I also introduce a new lightweight block cipher called SPARX which was designed using a new method to justify its security: the Long Trail Strategy. Part II is devoted to S-Box reverse-engineering, a field of study investigating the methods recovering the hidden structure or the design criteria used to build an S-Box. I co-invented several such methods: a statistical analysis of the differential and linear properties which was applied successfully to the S-Box of the NSA block cipher Skipjack, a structural attack against Feistel networks called the yoyo game and the TU-decomposition. This last technique allowed us to decompose the S-Box of the last Russian standard block cipher and hash function as well as the only known solution to the APN problem, a long-standing open question in mathematics. Finally, Part III presents a unifying view of several fields of symmetric cryptography by interpreting them as purposefully hard. Indeed, several cryptographic algorithms are designed so as to maximize the code size, RAM consumption or time taken by their implementations. By providing a unique framework describing all such design goals, we could design modes of operations for building any symmetric primitive with any form of hardness by combining secure cryptographic building blocks with simple functions with the desired form of hardness called plugs. Alex Biryukov and I also showed that it is possible to build plugs with an asymmetric hardness whereby the knowledge of a secret key allows the privileged user to bypass the hardness of the primitive

    Оценка характеристик перемешивания хэш-функций семейства MD

    Get PDF
    Матрично-графовый подход (МГП), нашедший успешное применение к оценке свойств итеративных блочных шифров и генераторов ключевого расписания, впервые представлен как инструмент оценивания перемешивающих свойств алгоритмов хэширования. Особенность применения МГП к хэш-функциям связана с неочевидностью построения перемешивающих матриц, характеризующих зависимость битов сгенерированного хэш-значения от битов исходного сообщения. Для хэш-функций MD4, MD5, SHA-1, SHA-256 построены перемешивающие матрицы порядка 512 + n, где n — длина блока, с которым оперирует односторонняя функция сжатия алгоритма хэширования при обработке 512-битового блока входного сообщения (n = 128 для MD4 и MD5, n = 160 для SHA-1 и n = 256 для SHA-256). К исследованным характеристикам перемешивания относятся локальные экспоненты перемешивающих матриц, то есть для каждой матрицы M определено наименьшее натуральное число y, такое, что при любом натуральном т y положительны все столбцы матрицы Мт с номерами 513, 514,..., 512 + n. Значения локальных экспонентов являются нижними оценками числа итераций, после которых каждый бит сгенерированного хэш-значения может существенно зависеть от всех битов исходного сообщения. Полученные значения (y = 21 для MD4, MD5, SHA-256 и y = 23 для SHA-1) косвенно свидетельствуют о схожих криптографических качествах рассмотренных алгоритмов хэширования, несмотря на варианты их усиления за счёт увеличения длины блока и усложнения функци
    corecore