On Some Symmetric Lightweight Cryptographic Designs

This dissertation presents cryptanalysis of several symmetric lightweight primitives, both stream ciphers and block ciphers. Further, some aspects of authentication in combination with a keystream generator is investigated, and a new member of the Grain family of stream ciphers, Grain-128a, with built-in support for authentication is presented. The first contribution is an investigation of how authentication can be provided at a low additional cost, assuming a synchronous stream cipher is already implemented and used for encryption. These findings are then used when presenting the latest addition to the Grain family of stream ciphers, Grain-128a. It uses a 128-bit key and a 96-bit initialization vector to generate keystream, and to possibly also authenticate the plaintext. Next, the stream cipher BEAN, superficially similar to Grain, but notably using a weak output function and two feedback with carry shift registers (FCSRs) rather than linear and (non-FCSR) nonlinear feedback shift registers, is cryptanalyzed. An efficient distinguisher and a state-recovery attack is given. It is shown how knowledge of the state can be used to recover the key in a straightforward way. The remainder of this dissertation then focuses on block ciphers. First, a related-key attack on KTANTAN is presented. The attack notably uses only a few related keys, runs in less than half a minute on a current computer, and directly contradicts the designers' claims. It is discussed why this is, and what can be learned from this. Next, PRINTcipher is subjected to linear cryptanalysis. Several weak key classes are identified and it is shown how several observations of the same statistical property can be made for each plaintext--ciphertext pair. Finally, the invariant subspace property, first observed for certain key classes in PRINTcipher, is investigated. In particular, its connection to large linear biases is studied through an eigenvector which arises inside the cipher and leads to trail clustering in the linear hull which, under reasonable assumptions, causes a significant number of large linear biases. Simulations on several versions of PRINTcipher are compared to the theoretical findings

Randomness Generation for Secure Hardware Masking - Unrolled Trivium to the Rescue

Masking is a prominent strategy to protect cryptographic implementations against side-channel analysis. Its popularity arises from the exponential security gains that can be achieved for (approximately) quadratic resource utilization. Many variants of the countermeasure tailored for different optimization goals have been proposed over the past decades. The common denominator among all of them is the implicit demand for robust and high entropy randomness. Simply assuming that uniformly distributed random bits are available, without taking the cost of their generation into account, leads to a poor understanding of the efficiency and performance of secure implementations. This is especially relevant in case of hardware masking schemes which are known to consume large amounts of random bits per cycle due to parallelism. Currently, there seems to be no consensus on how to most efficiently derive many pseudo-random bits per clock cycle from an initial seed and with properties suitable for masked hardware implementations. In this work, we evaluate a number of building blocks for this purpose and find that hardware-oriented stream ciphers like Trivium and its reduced-security variant Bivium B outperform all competitors when implemented in an unrolled fashion. Unrolled implementations of these primitives enable the flexible generation of many bits per cycle while maintaining high performance, which is crucial for satisfying the large randomness demands of state-of-the-art masking schemes. According to our analysis, only Linear Feedback Shift Registers (LFSRs), when also unrolled, are capable of producing long non-repetitive sequences of random-looking bits at a high rate per cycle even more efficiently than Trivium and Bivium B. Yet, these instances do not provide black-box security as they generate only linear outputs. We experimentally demonstrate that using multiple output bits from an LFSR in the same masked implementation can violate probing security and even lead to harmful randomness cancellations. Circumventing these problems, and enabling an independent analysis of randomness generation and masking scheme, requires the use of cryptographically stronger primitives like stream ciphers. As a result of our studies, we provide an evidence-based estimate for the cost of securely generating n fresh random bits per cycle. Depending on the desired level of black-box security and operating frequency, this cost can be as low as 20n to 30n ASIC gate equivalents (GE) or 3n to 4n FPGA look-up tables (LUTs), where n is the number of random bits required. Our results demonstrate that the cost per bit is (sometimes significantly) lower than estimated in previous works, incentivizing parallelism whenever exploitable and potentially moving low randomness usage in hardware masking research from a primary to secondary design goal

Optimized Hardware Implementations of Lightweight Cryptography

Radio frequency identification (RFID) is a key technology for the Internet of Things era. One important advantage of RFID over barcodes is that line-of-sight is not required between readers and tags. Therefore, it is widely used to perform automatic and unique identification of objects in various applications, such as product tracking, supply chain management, and animal identification. Due to the vulnerabilities of wireless communication between RFID readers and tags, security and privacy issues are significant challenges. The most popular passive RFID protocol is the Electronic Product Code (EPC) standard. EPC tags have many constraints on power consumption, memory, and computing capability. The field of lightweight cryptography was created to provide secure, compact, and flexible algorithms and protocols suitable for applications where the traditional cryptographic primitives, such as AES, are impractical. In these lightweight algorithms, tradeoffs are made between security, area/power consumption, and throughput. In this thesis, we focus on the hardware implementations and optimizations of lightweight cryptography and present the Simeck block cipher family, the WG-8 stream cipher, the Warbler pseudorandom number generator (PRNG), and the WGLCE cryptographic engine. Simeck is a new family of lightweight block ciphers. Simeck takes advantage of the good components and design ideas of the Simon and Speck block ciphers and it has three instances with different block and key sizes. We provide an extensive exploration of different hardware architectures in ASICs and show that Simeck is smaller than Simon in terms of area and power consumption. For the WG-8 stream cipher, we explore four different approaches for the WG transformation module, where one takes advantage of constant arrays and the other three benefit from the tower field constructions of the finite field \F_{2^8} and also efficient basis conversion matrices. The results in FPGA and ASICs show that the constant arrays based method is the best option. We also propose a hybrid design to improve the throughput with a little additional hardware. For the Warbler PRNG, we present the first detailed and smallest hardware implementations and optimizations. The results in ASICs show that the area of Warbler with throughput of 1 bit per 5 clock cycles (1/5 bpc) is smaller than that of other PRNGs and is in fact smaller than that of most of the lightweight primitives. We also optimize and improve the throughput from 1/5 bpc to 1 bpc with a little additional area and power consumption. Finally, we propose a cryptographic engine WGLCE for passive RFID systems. We merge the Warbler PRNG and WG-5 stream cipher together by reusing the finite state machine for both of them. Therefore, WGLCE can provide data confidentiality and generate pseudorandom numbers. After investigating the design rationales and hardware architectures, our results in ASICs show that WGLCE meets the constraints of passive RFID systems

Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium

CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a low-degree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128-bit key of a 14-round MD6 with complexity 2^22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient property-testing algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2^17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2^24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2^30 complexity and detect nonrandomness over 885 rounds in 2^27, improving on the original 767-round cube attack

Contributions to Confidentiality and Integrity Algorithms for 5G

The confidentiality and integrity algorithms in cellular networks protect the transmission of user and signaling data over the air between users and the network, e.g., the base stations. There are three standardised cryptographic suites for confidentiality and integrity protection in 4G, which are based on the AES, SNOW 3G, and ZUC primitives, respectively. These primitives are used for providing a 128-bit security level and are usually implemented in hardware, e.g., using IP (intellectual property) cores, thus can be quite efficient. When we come to 5G, the innovative network architecture and high-performance demands pose new challenges to security. For the confidentiality and integrity protection, there are some new requirements on the underlying cryptographic algorithms. Specifically, these algorithms should: 1) provide 256 bits of security to protect against attackers equipped with quantum computing capabilities; and 2) provide at least 20 Gbps (Gigabits per second) speed in pure software environments, which is the downlink peak data rate in 5G. The reason for considering software environments is that the encryption in 5G will likely be moved to the cloud and implemented in software. Therefore, it is crucial to investigate existing algorithms in 4G, checking if they can satisfy the 5G requirements in terms of security and speed, and possibly propose new dedicated algorithms targeting these goals. This is the motivation of this thesis, which focuses on the confidentiality and integrity algorithms for 5G. The results can be summarised as follows.1. We investigate the security of SNOW 3G under 256-bit keys and propose two linear attacks against it with complexities 2172 and 2177, respectively. These cryptanalysis results indicate that SNOW 3G cannot provide the full 256-bit security level. 2. We design some spectral tools for linear cryptanalysis and apply these tools to investigate the security of ZUC-256, the 256-bit version of ZUC. We propose a distinguishing attack against ZUC-256 with complexity 2236, which is 220 faster than exhaustive key search. 3. We design a new stream cipher called SNOW-V in response to the new requirements for 5G confidentiality and integrity protection, in terms of security and speed. SNOW-V can provide a 256-bit security level and achieve a speed as high as 58 Gbps in software based on our extensive evaluation. The cipher is currently under evaluation in ETSI SAGE (Security Algorithms Group of Experts) as a promising candidate for 5G confidentiality and integrity algorithms. 4. We perform deeper cryptanalysis of SNOW-V to ensure that two common cryptanalysis techniques, guess-and-determine attacks and linear cryptanalysis, do not apply to SNOW-V faster than exhaustive key search. 5. We introduce two minor modifications in SNOW-V and propose an extreme performance variant, called SNOW-Vi, in response to the feedback about SNOW-V that some use cases are not fully covered. SNOW-Vi covers more use cases, especially some platforms with less capabilities. The speeds in software are increased by 50% in average over SNOW-V and can be up to 92 Gbps.Besides these works on 5G confidentiality and integrity algorithms, the thesis is also devoted to local pseudorandom generators (PRGs). 6. We investigate the security of local PRGs and propose two attacks against some constructions instantiated on the P5 predicate. The attacks improve existing results with a large gap and narrow down the secure parameter regime. We also extend the attacks to other local PRGs instantiated on general XOR-AND and XOR-MAJ predicates and provide some insight in the choice of safe parameters

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Multi-Purpose Designs in Lightweight Cryptography

The purpose of this thesis is to explore a number of techniques used in lightweight cryptography design and their applications in the hardware designs of two lightweight permutations called sLiSCP and sLiSCP-light. Most of current methods in lightweight cryptography are optimized around one functionality and is only useful for applications that require their specific design. We aimed to provide a design that can provide multiple functionalities. In this thesis, we focus and show the hash function and authenticated encryption of our design. We implemented two lightweight permutations designs of sLiSCP and sLiSCP-light in VHDL. During the verification of sLiSCP cipher, we discovered additional area that could be saved if we tweaked the design slightly. This would lead us to consider the design of sLiSCP-light which helps dramatically reduce area. Results of our designs of sLiSCP and sLiSCP-light satisfied the lightweight requirements, including hardware area, power, and throughput, for applications such as passive RFID tags. Lastly, we did tests on the randomness of Simeck and Simon Feistel structures. We wanted to observe the pseudorandom nature of structures similar to Simeck and Simon so we performed exhaustive tests on small instances of these structures to trace any trends in their behavior. We confirmed that Simon and Simeck were very consistent and provided acceptable pseudorandom results. For larger sizes, we expect similar results from Simon and Simeck

Design and Cryptanalysis of Lightweight Symmetric Key Primitives

The need for lightweight cryptographic primitives to replace the traditional standardized primitives such as AES, SHA-2 and SHA-3, which are unrealistic in constrained environments, has been anticipated by the cryptographic community for over a decade and half. Such an anticipation came to reality by the apparent proliferation of Radio Frequency Identifiers (RFIDs), Internet of Things (IoT), smart devices and sensor networks in our daily lives. All these devices operate in constrained environments and require reasonable efficiency with low implementation costs and sufficient security. Accordingly, designing lightweight symmetric key cryptographic primitives and analyzing the state-of-the-art algorithms is an active area of research for both academia and industry, which is directly followed by the ongoing National Institute of Standards and Technology’s lightweight cryptography (NIST LWC) standardization project. In this thesis, we focus on the design and security analysis of such primitives. First, we present the design of four lightweight cryptographic permutations, namely sLiSCP, sLiSCP-light, ACE and WAGE. At a high level, these permutations adopt a Nonlinear Feedback Shift Register (NLFSR) based design paradigm. sLiSCP, sLiSCP-light and ACE use reduced-round Simeck block cipher, while WAGE employs Welch-Gong (WG) permutation and two 7-bit sboxes over the finite field $F_{2^7}$ as their underlying nonlinear components. We discuss their design rationale and analyze the security with respect to differential and linear, integral and symmetry based distinguishers using automated tools such as Mixed Integer Linear Programming (MILP) and SAT/SMT solvers. Second, we show the applications of these permutations to achieve Authenticated Encryption with Associated Data (AEAD), Message Authentication Code (MAC), Pseudorandom Bit Generator (PRBG) and Hash functionalities. We introduce the idea of the unified round function, which, when combined in a sponge mode can provide all the aforementioned functionalities with the same circuitry. We give concrete instantiations of several AEAD and hash schemes with varying security levels, e.g., 80, 96, 112 and 128 bits. Next, we present Spoc, a new AEAD mode of operation which offers higher security guarantees compared to traditional sponge-based AEAD schemes with smaller states. We instantiate Spoc with sLiSCP-light permutation and propose another two lightweight AEAD algorithms. Notably, 4 of our proposed schemes, namely ACE, Spix, Spoc and WAGE are round 2 candidates of NIST’s LWC project. Finally, we present cryptanalytic results on some lightweight ciphers. We first analyze the nonlinear initialization phase of WG-5 stream cipher using the division property based cube attack, and give a key recovery attack on 24 (out of 64) rounds with data and time complexities $2^{6.32}$ and $2^{76:81}$, respectively. Next, we propose a novel property of block ciphers called correlated sequences and show its applications to meet-in-the-middle attack. Consequently, we give the best key recovery attacks (up to 27 out of 32 rounds in a single key setting) on Simon and Simeck ciphers with block and key sizes 32 and 64 bits, respectively. The attack requires 3 known plaintext-ciphertext pairs and has a time complexity close to average exhaustive search. It is worth noting that variants of WG-5 and Simeck are the core components of aforementioned AEAD and hash schemes. Lastly, we present practical forgery attacks on Limdolen and HERN which are round 1 candidates of NIST LWC project. We show the existence of structural weaknesses which could be exploited to forge any message with success probability of 1. For Limdolen, we require the output of a single encryption query while for HERN we need at most 4 encryption queries for a valid forgery. Following our attack, both designs are eliminated from second round

On Message Authentication in 4G LTE System

After decades of evolution, the cellular system has become an indispensable part of modern life. Together with the convenience brought by the cellular system, many security issues have arisen. Message integrity protection is one of the urgent problems. The integrity of a message is usually protected by message authentication code (MAC). Forgery attacks are the primary threat to message integrity. By Simon's definition, forgery is twofold. The first is impersonation forgery, in which the opponent can forge a MAC without knowing any message-MAC pairs. The second is substitution forgery, in which the opponent can forge a MAC by knowing certain message-MAC pairs. In the 4G LTE system, MAC is applied not only to RRC control messages and user data, but also to authentication of the identities in the radio network during the authentication and key agreement (AKA) procedure. There is a set of functions used in AKA, which is called A3/A8. Originally, only one cipher suite called MILENAGE followed the definition of A3/A8. Recently, Vodafone has proposed another candidate called TUAK. This thesis first analyzes a MAC algorithm of the 4G LTE system called EIA1. The analysis shows that because of its linear structure, given two valid message-MAC pairs generated by EIA1, attackers can forge up to $2^{32}$ valid MACs by the algorithm called linear forgery attack proposed in this thesis. This thesis also proposes a well-designed scenario, in which attackers can apply the linear forgery attack to the real system. The second work presented in this thesis fixes the gap between the almost XOR universal property and the substitution forgery probability, and assesses the security of EIA1 under different attack models. After the security analysis, an optimized EIA1 using an efficient polynomial evaluation method is proposed. This polynomial evaluation method is analog to the fast Fourier transform. Compared with Horner's rule, which is used in the official implementation of EIA1, this method reduces the number of multiplications over finite field dramatically. The improvement is shown by the experiment results, which suggests that the optimized code is much faster than the official implementation, and the polynomial evaluation method is better than Horner's rule. The third work in this thesis assesses the security of TUAK, and proves TUAK is a secure algorithm set, which means $f_1$, $f_1^*$, and $f_2$ are resistant to forgery attacks, and key recovery attacks; $f_3$ - $f_5$, and $f_5^*$ are resistant to key recovery attacks and collision. A novel technique called multi-output filtering model is proposed in this work in order to study the non-randomness property of TUAK and other cryptographic primitives, such as AES, KASUMI, and PRESENT. A multi-output filtering model consists of a linear feedback shift register (LFSR) and a multi-output filtering function. The contribution of this research is twofold. First, an attack technique under IND-CPA using the multi-output filtering model is proposed. By introducing a distinguishing function, we theoretically determine the success rate of this attack. In particular, we construct a distinguishing function based on the distribution of the linear complexity of component sequences, and apply it on studying TUAK's $f_1$ algorithm, AES, KASUMI and PRESENT. The experiments demonstrate that the success rate of the attack on KASUMI and PRESENT is non-negligible, but $f_1$ and AES are resistant to this attack. Second, this research studies the distribution of the cryptographic properties of component functions of a random primitive in the multi-output filtering model. The experiments show some non-randomness in the distribution of the algebraic degree and nonlinearity for KASUMI. The last work is constructing two MACs. The first MAC called WGIA-128 is a variant of EIA1, and requires the underlying stream cipher to generate uniform distributed key streams. WG-16, a stream cipher with provable security, is a good choice to be the underlying cipher of WGIA-128 because it satisfies the requirement. The second MAC called AMAC is constructed upon APN functions. we propose two different constructions of AMAC, and both of these two constructions have provable security. The probability of substitution forgery attacks against both constructions of AMAC is upper bounded by a negligible value. Compared with EIA1 and EIA3, two message authentication codes used in the 4G LTE system, both constructions of AMAC are slower than EIA3, but much faster than EIA1. Moreover, both constructions of AMAC are resistant to cycling and linear forgery attacks, which can be applied to both EIA1 and EIA3