Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium

CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a low-degree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128-bit key of a 14-round MD6 with complexity 2^22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient property-testing algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2^17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2^24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2^30 complexity and detect nonrandomness over 885 rounds in 2^27, improving on the original 767-round cube attack

Security analysis of NIST-LWC contest finalists

Dissertação de mestrado integrado em Informatics EngineeringTraditional cryptographic standards are designed with a desktop and server environment in mind, so, with the relatively recent proliferation of small, resource constrained devices in the Internet of Things, sensor networks, embedded systems, and more, there has been a call for lightweight cryptographic standards with security, performance and resource requirements tailored for the highly-constrained environments these devices find themselves in. In 2015 the National Institute of Standards and Technology began a Standardization Process in order to select one or more Lightweight Cryptographic algorithms. Out of the original 57 submissions ten finalists remain, with ASCON and Romulus being among the most scrutinized out of them. In this dissertation I will introduce some concepts required for easy understanding of the body of work, do an up-to-date revision on the current situation on the standardization process from a security and performance standpoint, a description of ASCON and Romulus, and new best known analysis, and a comparison of the two, with their advantages, drawbacks, and unique traits.Os padrões criptográficos tradicionais foram elaborados com um ambiente de computador e servidor em mente. Com a proliferação de dispositivos de pequenas dimensões tanto na Internet of Things, redes de sensores e sistemas embutidos, apareceu uma necessidade para se definir padrões para algoritmos de criptografia leve, com prioridades de segurança, performance e gasto de recursos equilibrados para os ambientes altamente limitados em que estes dispositivos operam. Em 2015 o National Institute of Standards and Technology lançou um processo de estandardização com o objectivo de escolher um ou mais algoritmos de criptografia leve. Das cinquenta e sete candidaturas originais sobram apenas dez finalistas, sendo ASCON e Romulus dois desses finalistas mais examinados. Nesta dissertação irei introduzir alguns conceitos necessários para uma fácil compreensão do corpo deste trabalho, assim como uma revisão atualizada da situação atual do processo de estandardização de um ponto de vista tanto de segurança como de performance, uma descrição do ASCON e do Romulus assim como as suas melhores análises recentes e uma comparação entre os dois, frisando as suas vantagens, desvantagens e aspectos únicos

A NOVEL ARCHITECTURE WITH SCALABLE SECURITY HAVING EXPANDABLE COMPUTATIONAL COMPLEXITY FOR STREAM CIPHERS

Stream cipher designs are difficult to implement since they are prone to weaknesses based on usage, with properties being similar to one-time pad besides keystream is subjected to very strict requirements. Contemporary stream cipher designs are highly vulnerable to algebraic cryptanalysis based on linear algebra, in which the inputs and outputs are formulated as multivariate polynomial equations. Solving a nonlinear system of multivariate equations will reduce the complexity, which in turn yields the targeted secret information. Recently, Addition Modulo  has been suggested over logic XOR as a mixing operator to guard against such attacks. However, it has been observed that the complexity of Modulo Addition can be drastically decreased with the appropriate formulation of polynomial equations and probabilistic conditions. A new design for Addition Modulo is proposed. The framework for the new design is characterized by user-defined expandable security for stronger encryption and does not impose changes in existing layout for any stream cipher such as SNOW 2.0, SOSEMANUK, CryptMT, Grain Family, etc. The structure of the proposed design is highly scalable, which boosts the algebraic degree and thwarts the probabilistic conditions by maintaining the original hardware complexity without changing the integrity of the Addition Modulo

Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery

In this paper, we describe a new variant of cube attacks called correlation cube attack. The new attack recovers the secret key of a cryptosystem by exploiting conditional correlation properties between the superpoly of a cube and a specific set of low-degree polynomials that we call a basis, which satisfies that the superpoly is a zero constant when all the polynomials in the basis are zeros. We present a detailed procedure of correlation cube attack for the general case, including how to find a basis of the superpoly of a given cube. One of the most significant advantages of this new analysis technique over other variants of cube attacks is that it converts from a weak-key distinguisher to a key recovery attack. As an illustration, we apply the attack to round-reduced variants of the stream cipher Trivium. Based on the tool of numeric mapping introduced by Liu at CRYPTO 2017, we develop a specific technique to efficiently find a basis of the superpoly of a given cube as well as a large set of potentially good cubes used in the attack on Trivium variants, and further set up deterministic or probabilistic equations on the key bits according to the conditional correlation properties between the superpolys of the cubes and their bases. For a variant when the number of initialization rounds is reduced from 1152 to 805, we can recover about 7-bit key information on average with time complexity $2^{44}$, using $2^{45}$ keystream bits and preprocessing time $2^{51}$. For a variant of Trivium reduced to 835 rounds, we can recover about 5-bit key information on average with the same complexity. All the attacks are practical and fully verified by experiments. To the best of our knowledge, they are thus far the best known key recovery attacks for these variants of Trivium, and this is the first time that a weak-key distinguisher on Trivium stream cipher can be converted to a key recovery attack

QUAD: Overview and Recent Developments

We give an outline of the specification and provable security features of the QUAD stream cipher proposed at Eurocrypt 2006. The cipher relies on the iteration of a multivariate system of quadratic equations over a finite field, typically GF(2) or a small extension. In the binary case, the security of the keystream generation can be related, in the concrete security model, to the conjectured intractability of the MQ problem of solving a random system of m equations in n unknowns. We show that this security reduction can be extended to incorporate the key and IV setup and provide a security argument related to the whole stream cipher.We also briefly address software and hardware performance issues and show that if one is willing to pseudorandomly generate the systems of quadratic polynomials underlying the cipher, this leads to suprisingly inexpensive hardware implementations of QUAD

Security of lightweight cryptographic algorithms

Η διπλωματική εργασία μελετά τους lightweight κρυπτογραφικούς αλγορίθμους, εστιάζοντας σε συγκεκριμένα χαρακτηριστικά ασφάλειας. Πιο συγκεκριμένα, θα αναλυθούν, θα αξιολογηθούν και θα ταξινομηθούν σε διάφορες κατηγορίες, όπως αν είναι block ή stream ciphers και αν είναι authenticated ή όχι, κάποιοι lightweight αλγόριθμοι. Αυτή η ταξινόμηση αφορά αλγόριθμους που βρίσκονται σε διαδικασία προτυποποίησης και συμμετέχουν στο διαγωνισμό του NIST (National Institution of Standards and Technology), Lightweight Crypto. Στη συνέχεια, θα δοθεί έμφαση στις Boolean Functions που χρησιμοποιούν αυτοί οι lightweight κρυπτογραφικοί αλγόριθμοι, με σκοπό να υπολογιστούν οι κρυπτογραφικές ιδιότητες των συναρτήσεων αυτών και να αξιολογηθεί η ανθεκτικότητα αυτών των αλγορίθμων ενάντια σε κρυπταναλυτικές επιθέσεις. Η ανάλυσή μας δείχνει πως δεν υπάρχει καμία Boolean function που να ικανοποιεί όλες τις κρυπτογραφικές ιδιότητες και έτσι απαιτείται περαιτέρω έρευνα για να διευκρινιστεί αν οι ευπάθειες αυτές των Boolean functions μπορούν να χρησιμοποιηθούν για την διεξαγωγή κρυπταναλυτικής επίθεσης.This thesis studies the lightweight cryptographic algorithms, focusing on specific security features. In particular, many lightweight algorithms are being analyzed, evaluated and classified into several categories including but not limited to block/stream ciphers, either being authenticated or not. This categorization consists of algorithms that are in the progress of standardization, competing in the NIST (National Institution of Standards and Technology) Lightweight Crypto Standardization process. Next, emphasis will be given on the Boolean functions that these Lightweight cryptographic algorithms utilize, with the aim to calculate the cryptographic properties of such functions towards evaluating the resistance of these algorithms against several cryptanalytic attacks. Our analysis illustrates that there is no cryptographic Boolean function satisfying all the cryptographic properties and, thus, further research is needed in order to evaluate whether such vulnerabilities of underlying Boolean functions can actually be exploited in order to mount a cryptanalytic attac