32 research outputs found
A Bit-Vector Differential Model for the Modular Addition by a Constant
ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR, which achieve the best software performances in low-end microcontrollers. To evaluate the resistance of an ARX cipher against differential cryptanalysis and its variants, the recent automated methods employ constraint satisfaction solvers, such as SMT solvers, to search for optimal characteristics. The main difficulty to formulate this search as a constraint satisfaction problem is obtaining the differential models of the non-linear operations, that is, the constraints describing the differential probability of each non-linear operation of the cipher. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods.
In this paper, we present the first bit-vector differential model for the n-bit modular addition by a constant input. Our model contains O(log2(n)) basic bit-vector constraints and describes the binary logarithm of the differential probability. We also represent an SMT-based automated method to look for differential characteristics of ARX, including constant additions, and we provide an open-source tool ArxPy to find ARX differential characteristics in a fully automated way. To provide some examples, we have searched for related-key differential characteristics of TEA, XTEA, HIGHT, and LEA, obtaining better results than previous works. Our differential model and our automated tool allow cipher designers to select the best constant inputs for modular additions and cryptanalysts to evaluate the resistance of ARX ciphers against differential attacks.acceptedVersio
Impossible Differential Cryptanalysis of the Lightweight Block Ciphers TEA, XTEA and HIGHT
TEA, XTEA and HIGHT are lightweight block ciphers with 64-bit block sizes and 128-bit keys. The round functions of the three ciphers are based on the simple operations XOR, modular addition and shift/rotation. TEA and XTEA are Feistel ciphers with 64 rounds designed by Needham and Wheeler, where XTEA is a successor of TEA, which was proposed by the same authors as an enhanced version of TEA. Whilst HIGHT, which is designed by Hong et al., is a generalized Feistel cipher with 32 rounds and eight 8-bit words in each round. On the one hand, all these ciphers are simple and easy to implement; on the other hand, the diffusion is slow, which allow us to find some impossible properties.
This paper proposes a method to identify the impossible differentials for TEA and XTEA by using the diffusion property of these block ciphers, where the impossible differential comes from one bit contradiction. By means of the method, 14-round impossible differential of XTEA and 13-round impossible differential of TEA are derived, which results in improved impossible differential attacks on 23-round XTEA and 17-round TEA, respectively. These attacks significantly improve the previous 11-round impossible differential attack on TEA and 14-round impossible differential attack on XTEA given by Moon et al. from FSE 2002. For HIGHT, we improve the 26-round impossible differential attack proposed by Özen et al.; an impossible differential attack on 27-round HIGHT that is slightly faster that the exhaustive search is also given. The attacks on TEA, XTEA and HIGHT are also the best attacks in terms of time complexity
A Bit-Vector Differential Model for the Modular Addition by a Constant and its Applications to Differential and Impossible-Differential Cryptanalysis
ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR. To evaluate the resistance of an ARX cipher against differential and impossible-differential cryptanalysis, the recent automated methods employ constraint satisfaction solvers to search for optimal characteristics or impossible differentials. The main difficulty in formulating this search is finding the differential models of the non-linear operations. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods.
In this paper, we present the first bit-vector differential model for the -bit modular addition by a constant input. Our model contains basic bit-vector constraints and describes the binary logarithm of the differential probability. We describe an SMT-based automated method that includes our model to search for differential characteristics of ARX ciphers including constant additions. We also introduce a new automated method for obtaining impossible differentials where we do not search over a small pre-defined set of differences, such as low-weight differences, but let the SMT solver search through the space of differences. Moreover, we implement both methods in our open-source tool \texttt{ArxPy} to find characteristics and impossible differentials of ARX ciphers with constant additions in a fully automated way. As some examples, we provide related-key impossible differentials and differential characteristics of TEA, XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2, which achieve better results compared to previous works
A Bit-Vector Differential Model for the Modular Addition by a Constant
ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR, which achieve the best software performances in low-end microcontrollers. To evaluate the resistance of an ARX cipher against differential cryptanalysis and its variants, the recent automated methods employ constraint satisfaction solvers, such as SMT solvers, to search for optimal characteristics. The main difficulty to formulate this search as a constraint satisfaction problem is obtaining the differential models of the non-linear operations, that is, the constraints describing the differential probability of each non-linear operation of the cipher. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods.
In this paper, we present the first bit-vector differential model for the n-bit modular addition by a constant input. Our model contains O(log_2(n)) basic bit-vector constraints and describes the binary logarithm of the differential probability. We also represent an SMT-based automated method to look for differential characteristics of ARX, including constant additions, and we provide an open-source tool ArxPy to find ARX differential characteristics in a fully automated way. To provide some examples, we have searched for related-key differential characteristics of TEA, XTEA, HIGHT, and LEA, obtaining better results than previous works. Our differential model and our automated tool allow cipher designers to select the best constant inputs for modular additions and cryptanalysts to evaluate the resistance of ARX ciphers against differential attacks
Cryptanalysis of Block Ciphers
The block cipher is one of the most important primitives in
modern cryptography, information and network security; one of
the primary purposes of such ciphers is to provide
confidentiality for data transmitted in insecure communication
environments. To ensure that confidentiality is robustly
provided, it is essential to investigate the security of a
block cipher against a variety of cryptanalytic attacks.
In this thesis, we propose a new extension of differential
cryptanalysis, which we call the impossible boomerang attack.
We describe the early abort technique for (related-key)
impossible differential cryptanalysis and rectangle attacks.
Finally, we analyse the security of a number of block ciphers
that are currently being widely used or have recently been
proposed for use in emerging cryptographic applications; our
main cryptanalytic results are as follows.
An impossible differential attack on 7-round AES when used with
128 or 192 key bits, and an impossible differential attack on
8-round AES when used with 256 key bits. An impossible
boomerang attack on 6-round AES when used with 128 key bits,
and an impossible boomerang attack on 7-round AES when used
with 192 or 256 key bits. A related-key impossible boomerang
attack on 8-round AES when used with 192 key bits, and a
related-key impossible boomerang attack on 9-round AES when
used with 256 key bits, both using two keys.
An impossible differential attack on 11-round reduced Camellia
when used with 128 key bits, an impossible differential attack
on 12-round reduced Camellia when used with 192 key bits, and
an impossible differential attack on 13-round reduced Camellia
when used with 256 key bits.
A related-key rectangle attack on the full Cobra-F64a, and a
related-key differential attack on the full Cobra-F64b.
A related-key rectangle attack on 44-round SHACAL-2.
A related-key rectangle attack on 36-round XTEA.
An impossible differential attack on 25-round reduced HIGHT, a
related-key rectangle attack on 26-round reduced HIGHT, and a
related-key impossible differential attack on 28-round reduced
HIGHT.
In terms of either the attack complexity or the numbers of
attacked rounds, the attacks presented in the thesis are better
than any previously published cryptanalytic results for the
block ciphers concerned, except in the case of AES; for AES,
the presented impossible differential attacks on 7-round AES
used with 128 key bits and 8-round AES used with 256 key bits
are the best currently published results on AES in a single key
attack scenario, and the presented related-key impossible
boomerang attacks on 8-round AES used with 192 key bits and
9-round AES used with 256 key bits are the best currently
published results on AES in a related-key attack scenario
involving two keys
Técnicas de segurança para a internet das coisas
Mestrado em Engenharia de Computadores e TelemáticaIoT assume que dispositivos limitados, tanto em capacidades computacionais
como em energia disponível, façam parte da sua infraestrutura. Dispositivos
esses que apresentam menos capacidades e mecanismos de defesa do que
as máquinas de uso geral. É imperativo aplicar segurança nesses dispositivos
e nas suas comunicações de maneira a prepará-los para as ameaças da
Internet e alcançar uma verdadeira e segura Internet das Coisas, em concordância
com as visões atuais para o futuro. Esta dissertação pretende ser um
pequeno passo nesse sentido, apresentando alternativas para proteger as comunicações
de dispositivos restritos numa perspetiva de performance assim
como avaliar o desempenho e a ocupação de recursos por parte de primitivas
criptográficas quando são aplicadas em dispositivos reais. Dado que a
segurança em diversas ocasiões tem de se sujeitar aos recursos deixados
após a implementação de funcionalidades, foi colocada uma implementação
de exposição de funcionalidades, recorrendo ao uso de CoAP, num dispositivo
fabricado com intenção de ser usado em IoT e avaliada de acordo com a
sua ocupação de recursos.IoT comprehends devices constrained in both computational capabilities and
available energy to be a part of its infrastructure. Devices which also present
less defense capabilities and mechanisms than general purpose machines.
It’s imperative to secure such devices and their communications in order to
prepare them for the Internet menaces and achieve a true and secure Internet
of Things compliant with today’s future visions. This dissertation intends
to be a small step towards such future by presenting alternatives to protect
constrained device’s communications in a performance related perspective as
well as benchmarks and evaluation of resources used by cryptographic primitives
when implemented on real devices. Due to security being on multiple
occasions subjected to the resources available only after functionalities implementation,
a minimalist implementation of functionalities exposure through
the use of CoAP was also deployed in an IoT intended device and assessed
according to resource overhead
Revisiting Lightweight Block Ciphers: Review, Taxonomy and Future directions
Block ciphers have been extremely predominant in the area of cryptography and due to the paradigm shift towards devices of resource constrained nature, lightweight block ciphers have totally influenced the field and has been a go-to option ever since. The growth of resource constrained devices have put forth a dire need for the security solutions that are feasible in terms of resources without taking a toll on the security that they offer. As the world is starting to move towards Internet of Things (IoT), data security and privacy in this environment is a major concern. This is due to the reason that a huge number of devices that operate in this environment are resource constrained. Because of their resource-constrained nature, advanced mainstream cryptographic ciphers and techniques do not perform as efficiently on such devices. This has led to the boom in the field of \u27lightweight cryptography\u27 which aims at developing cryptographic techniques that perform efficiently in a resource constrained environment. Over the period of past two decades or so, a bulk of lightweight block ciphers have been proposed due to the
growing need and demand in lightweight cryptography. In this paper, we review the state-of-the-art lightweight block ciphers, present a comprehensive design niche, give a detailed taxonomy with multiple classifications and present future research directions
A Salad of Block Ciphers
This book is a survey on the state of the art in block cipher design and analysis.
It is work in progress, and it has been for the good part of the last three years -- sadly, for various reasons no significant change has been made during the last twelve months.
However, it is also in a self-contained, useable, and relatively polished state, and for this reason
I have decided to release this \textit{snapshot} onto the public as a service to the cryptographic community, both in order to obtain feedback, and also as a means to give something back to the community from which I have learned much.
At some point I will produce a final version -- whatever being a ``final version\u27\u27 means in the constantly evolving field of block cipher design -- and I will publish it. In the meantime I hope the material contained here will be useful to other people
Notions and relations for RKA-secure permutation and function families
The theory of designing block ciphers is mature, having seen signi¯cant
progress since the early 1990s for over two decades, especially during the AES devel-
opment e®ort. Nevertheless, interesting directions exist, in particular in the study of
the provable security of block ciphers along similar veins as public-key primitives, i.e.
the notion of pseudorandomness (PRP) and indistinguishability (IND). Furthermore,
recent cryptanalytic progress has shown that block ciphers well designed against known
cryptanalysis techniques including related-key attacks (RKA) may turn out to be less
secure against related-key attacks than expected. The notion of provable security of
block ciphers against related-key attacks was initiated by Bellare and Kohno, and sub-
sequently treated by Lucks. Concrete block cipher constructions were proposed therein
with provable security guarantees. In this paper, we are interested in the security no-
tions for RKA-secure block ciphers