Rijndael Circuit Level Cryptanalysis

The Rijndael cipher was chosen as the Advanced Encryption Standard (AES) in August 1999. Its internal structure exhibits unusual properties such as a clean and simple algebraic description for the S-box. In this research, we construct a scalable family of ciphers which behave very much like the original Rijndael. This approach gives us the opportunity to use computational complexity theory. In the main result, we generate a candidate one-way function family from the scalable Rijndael family. We note that, although reduction to one-way functions is a common theme in the theory of public-key cryptography, it is rare to have such a defense of security in the private-key theatre. In this thesis a plan of attack is introduced at the circuit level whose aim is not break the cryptosystem in any practical way, but simply to break the very bold Rijndael security claim. To achieve this goal, we are led to a formal understanding of the Rijndael security claim, juxtaposing it with rigorous security treatments. Several of the questions that arise in this regard are as follows: ``Do invertible functions represented by circuits with very small numbers of gates have better than worst case implementations for their inverses?\u27 ``How many plaintext/ciphertext pairs are needed to uniquely determine the Rijndael key?\u2

Optimizing a Password Hashing Function with Hardware-Accelerated Symmetric Encryption

Password-based key derivation functions (PBKDFs) are commonly used to transform user passwords into keys for symmetric encryption, as well as for user authentication, password hashing, and preventing attacks based on custom hardware. We propose two optimized alternatives that enhance the performance of a previously published PBKDF. This design is based on (1) employing a symmetric cipher, the Advanced Encryption Standard (AES), as a pseudo-random generator and (2) taking advantage of the support for the hardware acceleration for AES that is available on many common platforms in order to mitigate common attacks to password-based user authentication systems. We also analyze their security characteristics, establishing that they are equivalent to the security of the core primitive (AES), and we compare their performance with well-known PBKDF algorithms, such as Scrypt and Argon2, with favorable results.Research partially supported by the Spanish Government under Project Grant TEC2014-54110-R (CASUS)

Cryptarray A Scalable And Reconfigurable Architecture For Cryptographic Applications

Cryptography is increasingly viewed as a critical technology to fulfill the requirements of security and authentication for information exchange between Internet applications. However, software implementations of cryptographic applications are unable to support the quality of service from a bandwidth perspective required by most Internet applications. As a result, various hardware implementations, from Application-Specific Integrated Circuits (ASICs), Field-Programmable Gate Arrays (FPGAs), to programmable processors, were proposed to improve this inadequate quality of service. Although these implementations provide performances that are considered better than those produced by software implementations, they still fall short of addressing the bandwidth requirements of most cryptographic applications in the context of the Internet for two major reasons: (i) The majority of these architectures sacrifice flexibility for performance in order to reach the performance level needed for cryptographic applications. This lack of flexibility can be detrimental considering that cryptographic standards and algorithms are still evolving. (ii) These architectures do not consider the consequences of technology scaling in general, and particularly interconnect related problems. As a result, this thesis proposes an architecture that attempts to address the requirements of cryptographic applications by overcoming the obstacles described in (i) and (ii). To this end, we propose a new reconfigurable, two-dimensional, scalable architecture, called CRYPTARRAY, in which bus-based communication is replaced by distributed shared memory communication. At the physical level, the length of the wires will be kept to a minimum. CRYPTARRAY is organized as a chessboard in which the dark and light squares represent Processing Elements (PE) and memory blocks respectively. The granularity and resource composition of the PEs is specifically designed to support the computing operations encountered in cryptographic algorithms in general, and symmetric algorithms in particular. Communication can occur only between neighboring PEs through locally shared memory blocks. Because of the chessboard layout, the architecture can be reconfigured to allow computation to proceed as a pipelined wave in any direction. This organization offers a high computational density in terms of datapath resources and a large number of distributed storage resources that easily support a high degree of parallelism and pipelining. Experimental prototyping a small array on FPGA chips shows that this architecture can run at 80.9 MHz producing 26,968,716 outputs every second in static reconfiguration mode and 20,226,537 outputs every second in dynamic reconfiguration mode

A Comprehensive Survey on the Implementations, Attacks, and Countermeasures of the Current NIST Lightweight Cryptography Standard

This survey is the first work on the current standard for lightweight cryptography, standardized in 2023. Lightweight cryptography plays a vital role in securing resource-constrained embedded systems such as deeply-embedded systems (implantable and wearable medical devices, smart fabrics, smart homes, and the like), radio frequency identification (RFID) tags, sensor networks, and privacy-constrained usage models. National Institute of Standards and Technology (NIST) initiated a standardization process for lightweight cryptography and after a relatively-long multi-year effort, eventually, in Feb. 2023, the competition ended with ASCON as the winner. This lightweight cryptographic standard will be used in deeply-embedded architectures to provide security through confidentiality and integrity/authentication (the dual of the legacy AES-GCM block cipher which is the NIST standard for symmetric key cryptography). ASCON's lightweight design utilizes a 320-bit permutation which is bit-sliced into five 64-bit register words, providing 128-bit level security. This work summarizes the different implementations of ASCON on field-programmable gate array (FPGA) and ASIC hardware platforms on the basis of area, power, throughput, energy, and efficiency overheads. The presented work also reviews various differential and side-channel analysis attacks (SCAs) performed across variants of ASCON cipher suite in terms of algebraic, cube/cube-like, forgery, fault injection, and power analysis attacks as well as the countermeasures for these attacks. We also provide our insights and visions throughout this survey to provide new future directions in different domains. This survey is the first one in its kind and a step forward towards scrutinizing the advantages and future directions of the NIST lightweight cryptography standard introduced in 2023

Selected Topics in Cryptanalysis of Symmetric Ciphers

It is well established that a symmetric cipher may be described as a system of Boolean polynomials, and that the security of the cipher cannot be better than the difficulty of solving said system. Compressed Right-Hand Side (CRHS) Equations is but one way of describing a symmetric cipher in terms of Boolean polynomials. The first paper of this thesis provides a comprehensive treatment firstly of the relationship between Boolean functions in algebraic normal form, Binary Decision Diagrams and CRHS equations. Secondly, of how CRHS equations may be used to describe certain kinds of symmetric ciphers and how this model may be used to attempt a key-recovery attack. This technique is not left as a theoretical exercise, as the process have been implemented as an open-source project named CryptaPath. To ensure accessibility for researchers unfamiliar with algebraic cryptanalysis, CryptaPath can convert a reference implementation of the target cipher, as specified by a Rust trait, into the CRHS equations model automatically. CRHS equations are not limited to key-recovery attacks, and Paper II explores one such avenue of CRHS equations flexibility. Linear and differential cryptanalysis have long since established their position as two of the most important cryptanalytical attacks, and every new design since must show resistance to both. For some ciphers, like the AES, this resistance can be mathematically proven, but many others are left to heuristic arguments and computer aided proofs. This work is tedious, and most of the tools require good background knowledge of a tool/technique to transform a design to the right input format, with a notable exception in CryptaGraph. CryptaGraph is written in Rust and transforms a reference implementation into CryptaGraphs underlying data structure automatically. Paper II introduces a new way to use CRHS equations to model a symmetric cipher, this time in such a way that linear and differential trail searches are possible. In addition, a new set of operations allowing us to count the number of active S-boxes in a path is presented. Due to CRHS equations effective initial data compression, all possible trails are captured in the initial system description. As is the case with CRHS equations, the crux is the memory consumption. However, this approach also enables the graph of a CRHS equation to be pruned, allowing the memory consumption to be kept at manageable levels. Unfortunately, pruning nodes also means that we will lose valid, incomplete paths, meaning that the hulls found are probably incomplete. On the flip side, all paths, and their corresponding probabilities, found by the tool are guaranteed to be valid trails for the cipher. This theory is also implemented in an extension of CryptaPath, and the name is PathFinder. PathFinder is also able to automatically turn a reference implementation of a cipher into its CRHS equations-based model. As an additional bonus, PathFinder supports the reference implementation specifications specified by CryptaGraph, meaning that the same reference implementation can be used for both CryptaGraph and PathFinder. Paper III shifts focus onto symmetric ciphers designed to be used in conjunction with FHE schemes. Symmetric ciphers designed for this purpose are relatively new and have naturally had a strong focus on reducing the number of multiplications performed. A multiplication is considered expensive on the noise budget of the FHE scheme, while linear operations are viewed as cheap. These ciphers are all assuming that it is possible to find parameters in the various FHE schemes which allow these ciphers to work well in symbiosis with the FHE scheme. Unfortunately, this is not always possible, with the consequence that the decryption process becomes more costly than necessary. Paper III therefore proposes Fasta, a stream cipher which has its parameters and linear layer especially chosen to allow efficient implementation over the BGV scheme, particularly as implemented in the HElib library. The linear layers are drawn from a family of rotation-based linear transformations, as cyclic rotations are cheap to do in FHE schemes that allow packing of multiple plaintext elements in one FHE ciphertext. Fasta follows the same design philosophy as Rasta, and will never use the same linear layer twice under the same key. The result is a stream cipher tailor-made for fast evaluation in HElib. Fasta shows an improvement in throughput of a factor more than 7 when compared to the most efficient implementation of Rasta.Doktorgradsavhandlin

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Design and Analysis of Security Schemes for Low-cost RFID Systems

With the remarkable progress in microelectronics and low-power semiconductor technologies, Radio Frequency IDentification technology (RFID) has moved from obscurity into mainstream applications, which essentially provides an indispensable foundation to realize ubiquitous computing and machine perception. However, the catching and exclusive characteristics of RFID systems introduce growing security and privacy concerns. To address these issues are particularly challenging for low-cost RFID systems, where tags are extremely constrained in resources, power and cost. The primary reasons are: (1) the security requirements of low-cost RFID systems are even more rigorous due to large operation range and mass deployment; and (2) the passive tags' modest capabilities and the necessity to keep their prices low present a novel problem that goes beyond the well-studied problems of traditional cryptography. This thesis presents our research results on the design and the analysis of security schemes for low-cost RFID systems. Motivated by the recent attention on exploiting physical layer resources in the design of security schemes, we investigate how to solve the eavesdropping, modification and one particular type of relay attacks toward the tag-to-reader communication in passive RFID systems without requiring lightweight ciphers. To this end, we propose a novel physical layer scheme, called Backscatter modulation- and Uncoordinated frequency hopping-assisted Physical Layer Enhancement (BUPLE). The idea behind it is to use the amplitude of the carrier to transmit messages as normal, while to utilize its periodically varied frequency to hide the transmission from the eavesdropper/relayer and to exploit a random sequence modulated to the carrier's phase to defeat malicious modifications. We further improve its eavesdropping resistance through the coding in the physical layer, since BUPLE ensures that the tag-to-eavesdropper channel is strictly noisier than the tag-to-reader channel. Three practical Wiretap Channel Codes (WCCs) for passive tags are then proposed: two of them are constructed from linear error correcting codes, and the other one is constructed from a resilient vector Boolean function. The security and usability of BUPLE in conjunction with WCCs are further confirmed by our proof-of-concept implementation and testing. Eavesdropping the communication between a legitimate reader and a victim tag to obtain raw data is a basic tool for the adversary. However, given the fundamentality of eavesdropping attacks, there are limited prior work investigating its intension and extension for passive RFID systems. To this end, we firstly identified a brand-new attack, working at physical layer, against backscattered RFID communications, called unidirectional active eavesdropping, which defeats the customary impression that eavesdropping is a ``passive" attack. To launch this attack, the adversary transmits an un-modulated carrier (called blank carrier) at a certain frequency while a valid reader and a tag interacts at another frequency channel. Once the tag modulates the amplitude of reader's signal, it causes fluctuations on the blank carrier as well. By carefully examining the amplitude of the backscattered versions of the blank carrier and the reader's carrier, the adversary could intercept the ongoing reader-tag communication with either significantly lower bit error rate or from a significantly greater distance away. Our concept is demonstrated and empirically analyzed towards a popular low-cost RFID system, i.e., EPC Gen2. Although active eavesdropping in general is not trivial to be prohibited, for a particular type of active eavesdropper, namely a greedy proactive eavesdropper, we propose a simple countermeasure without introducing extra cost to current RFID systems. The needs of cryptographic primitives on constraint devices keep increasing with the growing pervasiveness of these devices. One recent design of the lightweight block cipher is Hummingbird-2. We study its cryptographic strength under a novel technique we developed, called Differential Sequence Attack (DSA), and present the first cryptanalytic result on this cipher. In particular, our full attack can be divided into two phases: preparation phase and key recovery phase. During the key recovery phase, we exploit the fact that the differential sequence for the last round of Hummingbird-2 can be retrieved by querying the full cipher, due to which, the search space of the secret key can be significantly reduced. Thus, by attacking the encryption (decryption resp.) of Hummingbird-2, our algorithm recovers 36-bit (another 28-bit resp.) out of 128-bit key with $2^{68}$ ($2^{60}$ resp.) time complexity if particular differential conditions of the internal states and of the keys at one round can be imposed. Additionally, the rest 64-bit of the key can be exhaustively searched and the overall time complexity is dominated by $2^{68}$. During the preparation phase, by investing $2^{81}$ effort in time, the adversary is able to create the differential conditions required in the key recovery phase with at least 0.5 probability. As an additional effort, we examine the cryptanalytic strength of another lightweight candidate known as A2U2, which is the most lightweight cryptographic primitive proposed so far for low-cost tags. Our chosen-plaintext-attack fully breaks this cipher by recovering its secret key with only querying the encryption twice on the victim tag and solving 32 sparse systems of linear equations (where each system has 56 unknowns and around 28 unknowns can be directly obtained without computation) in the worst case, which takes around 0.16 second on a Thinkpad T410 laptop

Design, Cryptanalysis and Protection of Symmetric Encryption Algorithms

This thesis covers results from several areas related to symmetric cryptography, secure and efficient implementation and is divided into four main parts: In Part II, Benchmarking of AEAD, two articles will be presented, showing the results of the FELICS framework for Authenticated encryption algorithms, and multiarchitecture benchmarking of permutations used as construction block of AEAD algorithms. The Sparkle family of Hash and AEAD algorithms will be shown in Part III. Sparkle is currently a finalist of the NIST call for standardization of lightweight hash and AEAD algorithms. In Part IV, Cryptanalysis of ARX ciphers, it is discussed two cryptanalysis techniques based on differential trails, applied to ARX ciphers. The first technique, called Meet-in-the-Filter uses an offline trail record, combined with a fixed trail and a reverse differential search to propose long differential trails that are useful for key recovery. The second technique is an extension of ARX analyzing tools, that can automate the generation of truncated trails from existing non-truncated ones, and compute the exact probability of those truncated trails. In Part V, Masked AES for Microcontrollers, is shown a new method to efficiently compute a side-channel protected AES, based on the masking scheme described by Rivain and Prouff. This method introduces table and execution-order optimizations, as well as practical security proofs

Low-complexity, low-area computer architectures for cryptographic application in resource constrained environments

RCE (Resource Constrained Environment) is known for its stringent hardware design requirements. With the rise of Internet of Things (IoT), low-complexity and low-area designs are becoming prominent in the face of complex security threats. Two low-complexity, low-area cryptographic processors based on the ultimate reduced instruction set computer (URISC) are created to provide security features for wireless visual sensor networks (WVSN) by using field-programmable gate array (FPGA) based visual processors typically used in RCEs. The first processor is the Two Instruction Set Computer (TISC) running the Skipjack cipher. To improve security, a Compact Instruction Set Architecture (CISA) processor running the full AES with modified S-Box was created. The modified S-Box achieved a gate count reduction of 23% with no functional compromise compared to Boyar’s. Using the Spartan-3L XC3S1500L-4-FG320 FPGA, the implementation of the TISC occupies 71 slices and 1 block RAM. The TISC achieved a throughput of 46.38 kbps at a stable 24MHz clock. The CISA which occupies 157 slices and 1 block RAM, achieved a throughput of 119.3 kbps at a stable 24MHz clock. The CISA processor is demonstrated in two main applications, the first in a multilevel, multi cipher architecture (MMA) with two modes of operation, (1) by selecting cipher programs (primitives) and sharing crypto-blocks, (2) by using simple authentication, key renewal schemes, and showing perceptual improvements over direct AES on images. The second application demonstrates the use of the CISA processor as part of a selective encryption architecture (SEA) in combination with the millions instructions per second set partitioning in hierarchical trees (MIPS SPIHT) visual processor. The SEA is implemented on a Celoxica RC203 Vertex XC2V3000 FPGA occupying 6251 slices and a visual sensor is used to capture real world images. Four images frames were captured from a camera sensor, compressed, selectively encrypted, and sent over to a PC environment for decryption. The final design emulates a working visual sensor, from on node processing and encryption to back-end data processing on a server computer