A Bit-Vector Differential Model for the Modular Addition by a Constant

ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR, which achieve the best software performances in low-end microcontrollers. To evaluate the resistance of an ARX cipher against differential cryptanalysis and its variants, the recent automated methods employ constraint satisfaction solvers, such as SMT solvers, to search for optimal characteristics. The main difficulty to formulate this search as a constraint satisfaction problem is obtaining the differential models of the non-linear operations, that is, the constraints describing the differential probability of each non-linear operation of the cipher. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods. In this paper, we present the first bit-vector differential model for the n-bit modular addition by a constant input. Our model contains O(log2(n)) basic bit-vector constraints and describes the binary logarithm of the differential probability. We also represent an SMT-based automated method to look for differential characteristics of ARX, including constant additions, and we provide an open-source tool ArxPy to find ARX differential characteristics in a fully automated way. To provide some examples, we have searched for related-key differential characteristics of TEA, XTEA, HIGHT, and LEA, obtaining better results than previous works. Our differential model and our automated tool allow cipher designers to select the best constant inputs for modular additions and cryptanalysts to evaluate the resistance of ARX ciphers against differential attacks.acceptedVersio

Impossible Differential Cryptanalysis of the Lightweight Block Ciphers TEA, XTEA and HIGHT

TEA, XTEA and HIGHT are lightweight block ciphers with 64-bit block sizes and 128-bit keys. The round functions of the three ciphers are based on the simple operations XOR, modular addition and shift/rotation. TEA and XTEA are Feistel ciphers with 64 rounds designed by Needham and Wheeler, where XTEA is a successor of TEA, which was proposed by the same authors as an enhanced version of TEA. Whilst HIGHT, which is designed by Hong et al., is a generalized Feistel cipher with 32 rounds and eight 8-bit words in each round. On the one hand, all these ciphers are simple and easy to implement; on the other hand, the diffusion is slow, which allow us to find some impossible properties. This paper proposes a method to identify the impossible differentials for TEA and XTEA by using the diffusion property of these block ciphers, where the impossible differential comes from one bit contradiction. By means of the method, 14-round impossible differential of XTEA and 13-round impossible differential of TEA are derived, which results in improved impossible differential attacks on 23-round XTEA and 17-round TEA, respectively. These attacks significantly improve the previous 11-round impossible differential attack on TEA and 14-round impossible differential attack on XTEA given by Moon et al. from FSE 2002. For HIGHT, we improve the 26-round impossible differential attack proposed by Özen et al.; an impossible differential attack on 27-round HIGHT that is slightly faster that the exhaustive search is also given. The attacks on TEA, XTEA and HIGHT are also the best attacks in terms of time complexity

A Bit-Vector Differential Model for the Modular Addition by a Constant and its Applications to Differential and Impossible-Differential Cryptanalysis

ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR. To evaluate the resistance of an ARX cipher against differential and impossible-differential cryptanalysis, the recent automated methods employ constraint satisfaction solvers to search for optimal characteristics or impossible differentials. The main difficulty in formulating this search is finding the differential models of the non-linear operations. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods. In this paper, we present the first bit-vector differential model for the $n$-bit modular addition by a constant input. Our model contains $O(\log_2(n))$ basic bit-vector constraints and describes the binary logarithm of the differential probability. We describe an SMT-based automated method that includes our model to search for differential characteristics of ARX ciphers including constant additions. We also introduce a new automated method for obtaining impossible differentials where we do not search over a small pre-defined set of differences, such as low-weight differences, but let the SMT solver search through the space of differences. Moreover, we implement both methods in our open-source tool \texttt{ArxPy} to find characteristics and impossible differentials of ARX ciphers with constant additions in a fully automated way. As some examples, we provide related-key impossible differentials and differential characteristics of TEA, XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2, which achieve better results compared to previous works

A Bit-Vector Differential Model for the Modular Addition by a Constant

ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR, which achieve the best software performances in low-end microcontrollers. To evaluate the resistance of an ARX cipher against differential cryptanalysis and its variants, the recent automated methods employ constraint satisfaction solvers, such as SMT solvers, to search for optimal characteristics. The main difficulty to formulate this search as a constraint satisfaction problem is obtaining the differential models of the non-linear operations, that is, the constraints describing the differential probability of each non-linear operation of the cipher. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods. In this paper, we present the first bit-vector differential model for the n-bit modular addition by a constant input. Our model contains O(log_2(n)) basic bit-vector constraints and describes the binary logarithm of the differential probability. We also represent an SMT-based automated method to look for differential characteristics of ARX, including constant additions, and we provide an open-source tool ArxPy to find ARX differential characteristics in a fully automated way. To provide some examples, we have searched for related-key differential characteristics of TEA, XTEA, HIGHT, and LEA, obtaining better results than previous works. Our differential model and our automated tool allow cipher designers to select the best constant inputs for modular additions and cryptanalysts to evaluate the resistance of ARX ciphers against differential attacks

Cryptanalysis of Block Ciphers

The block cipher is one of the most important primitives in modern cryptography, information and network security; one of the primary purposes of such ciphers is to provide confidentiality for data transmitted in insecure communication environments. To ensure that confidentiality is robustly provided, it is essential to investigate the security of a block cipher against a variety of cryptanalytic attacks. In this thesis, we propose a new extension of differential cryptanalysis, which we call the impossible boomerang attack. We describe the early abort technique for (related-key) impossible differential cryptanalysis and rectangle attacks. Finally, we analyse the security of a number of block ciphers that are currently being widely used or have recently been proposed for use in emerging cryptographic applications; our main cryptanalytic results are as follows. An impossible differential attack on 7-round AES when used with 128 or 192 key bits, and an impossible differential attack on 8-round AES when used with 256 key bits. An impossible boomerang attack on 6-round AES when used with 128 key bits, and an impossible boomerang attack on 7-round AES when used with 192 or 256 key bits. A related-key impossible boomerang attack on 8-round AES when used with 192 key bits, and a related-key impossible boomerang attack on 9-round AES when used with 256 key bits, both using two keys. An impossible differential attack on 11-round reduced Camellia when used with 128 key bits, an impossible differential attack on 12-round reduced Camellia when used with 192 key bits, and an impossible differential attack on 13-round reduced Camellia when used with 256 key bits. A related-key rectangle attack on the full Cobra-F64a, and a related-key differential attack on the full Cobra-F64b. A related-key rectangle attack on 44-round SHACAL-2. A related-key rectangle attack on 36-round XTEA. An impossible differential attack on 25-round reduced HIGHT, a related-key rectangle attack on 26-round reduced HIGHT, and a related-key impossible differential attack on 28-round reduced HIGHT. In terms of either the attack complexity or the numbers of attacked rounds, the attacks presented in the thesis are better than any previously published cryptanalytic results for the block ciphers concerned, except in the case of AES; for AES, the presented impossible differential attacks on 7-round AES used with 128 key bits and 8-round AES used with 256 key bits are the best currently published results on AES in a single key attack scenario, and the presented related-key impossible boomerang attacks on 8-round AES used with 192 key bits and 9-round AES used with 256 key bits are the best currently published results on AES in a related-key attack scenario involving two keys

Técnicas de segurança para a internet das coisas

Mestrado em Engenharia de Computadores e TelemáticaIoT assume que dispositivos limitados, tanto em capacidades computacionais como em energia disponível, façam parte da sua infraestrutura. Dispositivos esses que apresentam menos capacidades e mecanismos de defesa do que as máquinas de uso geral. É imperativo aplicar segurança nesses dispositivos e nas suas comunicações de maneira a prepará-los para as ameaças da Internet e alcançar uma verdadeira e segura Internet das Coisas, em concordância com as visões atuais para o futuro. Esta dissertação pretende ser um pequeno passo nesse sentido, apresentando alternativas para proteger as comunicações de dispositivos restritos numa perspetiva de performance assim como avaliar o desempenho e a ocupação de recursos por parte de primitivas criptográficas quando são aplicadas em dispositivos reais. Dado que a segurança em diversas ocasiões tem de se sujeitar aos recursos deixados após a implementação de funcionalidades, foi colocada uma implementação de exposição de funcionalidades, recorrendo ao uso de CoAP, num dispositivo fabricado com intenção de ser usado em IoT e avaliada de acordo com a sua ocupação de recursos.IoT comprehends devices constrained in both computational capabilities and available energy to be a part of its infrastructure. Devices which also present less defense capabilities and mechanisms than general purpose machines. It’s imperative to secure such devices and their communications in order to prepare them for the Internet menaces and achieve a true and secure Internet of Things compliant with today’s future visions. This dissertation intends to be a small step towards such future by presenting alternatives to protect constrained device’s communications in a performance related perspective as well as benchmarks and evaluation of resources used by cryptographic primitives when implemented on real devices. Due to security being on multiple occasions subjected to the resources available only after functionalities implementation, a minimalist implementation of functionalities exposure through the use of CoAP was also deployed in an IoT intended device and assessed according to resource overhead

Revisiting Lightweight Block Ciphers: Review, Taxonomy and Future directions

Block ciphers have been extremely predominant in the area of cryptography and due to the paradigm shift towards devices of resource constrained nature, lightweight block ciphers have totally influenced the field and has been a go-to option ever since. The growth of resource constrained devices have put forth a dire need for the security solutions that are feasible in terms of resources without taking a toll on the security that they offer. As the world is starting to move towards Internet of Things (IoT), data security and privacy in this environment is a major concern. This is due to the reason that a huge number of devices that operate in this environment are resource constrained. Because of their resource-constrained nature, advanced mainstream cryptographic ciphers and techniques do not perform as efficiently on such devices. This has led to the boom in the field of \u27lightweight cryptography\u27 which aims at developing cryptographic techniques that perform efficiently in a resource constrained environment. Over the period of past two decades or so, a bulk of lightweight block ciphers have been proposed due to the growing need and demand in lightweight cryptography. In this paper, we review the state-of-the-art lightweight block ciphers, present a comprehensive design niche, give a detailed taxonomy with multiple classifications and present future research directions

A Salad of Block Ciphers

This book is a survey on the state of the art in block cipher design and analysis. It is work in progress, and it has been for the good part of the last three years -- sadly, for various reasons no significant change has been made during the last twelve months. However, it is also in a self-contained, useable, and relatively polished state, and for this reason I have decided to release this \textit{snapshot} onto the public as a service to the cryptographic community, both in order to obtain feedback, and also as a means to give something back to the community from which I have learned much. At some point I will produce a final version -- whatever being a ``final version\u27\u27 means in the constantly evolving field of block cipher design -- and I will publish it. In the meantime I hope the material contained here will be useful to other people

Notions and relations for RKA-secure permutation and function families

The theory of designing block ciphers is mature, having seen signi¯cant progress since the early 1990s for over two decades, especially during the AES devel- opment e®ort. Nevertheless, interesting directions exist, in particular in the study of the provable security of block ciphers along similar veins as public-key primitives, i.e. the notion of pseudorandomness (PRP) and indistinguishability (IND). Furthermore, recent cryptanalytic progress has shown that block ciphers well designed against known cryptanalysis techniques including related-key attacks (RKA) may turn out to be less secure against related-key attacks than expected. The notion of provable security of block ciphers against related-key attacks was initiated by Bellare and Kohno, and sub- sequently treated by Lucks. Concrete block cipher constructions were proposed therein with provable security guarantees. In this paper, we are interested in the security no- tions for RKA-secure block ciphers