Analysis and Design of Symmetric Cryptographic Algorithms

This doctoral thesis is dedicated to the analysis and the design of symmetric cryptographic algorithms. In the first part of the dissertation, we deal with fault-based attacks on cryptographic circuits which belong to the field of active implementation attacks and aim to retrieve secret keys stored on such chips. Our main focus lies on the cryptanalytic aspects of those attacks. In particular, we target block ciphers with a lightweight and (often) non-bijective key schedule where the derived subkeys are (almost) independent from each other. An attacker who is able to reconstruct one of the subkeys is thus not necessarily able to directly retrieve other subkeys or even the secret master key by simply reversing the key schedule. We introduce a framework based on differential fault analysis that allows to attack block ciphers with an arbitrary number of independent subkeys and which rely on a substitution-permutation network. These methods are then applied to the lightweight block ciphers LED and PRINCE and we show in both cases how to recover the secret master key requiring only a small number of fault injections. Moreover, we investigate approaches that utilize algebraic instead of differential techniques for the fault analysis and discuss advantages and drawbacks. At the end of the first part of the dissertation, we explore fault-based attacks on the block cipher Bel-T which also has a lightweight key schedule but is not based on a substitution-permutation network but instead on the so-called Lai-Massey scheme. The framework mentioned above is thus not usable against Bel-T. Nevertheless, we also present techniques for the case of Bel-T that enable full recovery of the secret key in a very efficient way using differential fault analysis. In the second part of the thesis, we focus on authenticated encryption schemes. While regular ciphers only protect privacy of processed data, authenticated encryption schemes also secure its authenticity and integrity. Many of these ciphers are additionally able to protect authenticity and integrity of so-called associated data. This type of data is transmitted unencrypted but nevertheless must be protected from being tampered with during transmission. Authenticated encryption is nowadays the standard technique to protect in-transit data. However, most of the currently deployed schemes have deficits and there are many leverage points for improvements. With NORX we introduce a novel authenticated encryption scheme supporting associated data. This algorithm was designed with high security, efficiency in both hardware and software, simplicity, and robustness against side-channel attacks in mind. Next to its specification, we present special features, security goals, implementation details, extensive performance measurements and discuss advantages over currently deployed standards. Finally, we describe our preliminary security analysis where we investigate differential and rotational properties of NORX. Noteworthy are in particular the newly developed techniques for differential cryptanalysis of NORX which exploit the power of SAT- and SMT-solvers and have the potential to be easily adaptable to other encryption schemes as well.Diese Doktorarbeit beschäftigt sich mit der Analyse und dem Entwurf von symmetrischen kryptographischen Algorithmen. Im ersten Teil der Dissertation befassen wir uns mit fehlerbasierten Angriffen auf kryptographische Schaltungen, welche dem Gebiet der aktiven Seitenkanalangriffe zugeordnet werden und auf die Rekonstruktion geheimer Schlüssel abzielen, die auf diesen Chips gespeichert sind. Unser Hauptaugenmerk liegt dabei auf den kryptoanalytischen Aspekten dieser Angriffe. Insbesondere beschäftigen wir uns dabei mit Blockchiffren, die leichtgewichtige und eine (oft) nicht-bijektive Schlüsselexpansion besitzen, bei denen die erzeugten Teilschlüssel voneinander (nahezu) unabhängig sind. Ein Angreifer, dem es gelingt einen Teilschlüssel zu rekonstruieren, ist dadurch nicht in der Lage direkt weitere Teilschlüssel oder sogar den Hauptschlüssel abzuleiten indem er einfach die Schlüsselexpansion umkehrt. Wir stellen Techniken basierend auf differenzieller Fehleranalyse vor, die es ermöglichen Blockchiffren zu analysieren, welche eine beliebige Anzahl unabhängiger Teilschlüssel einsetzen und auf Substitutions-Permutations Netzwerken basieren. Diese Methoden werden im Anschluss auf die leichtgewichtigen Blockchiffren LED und PRINCE angewandt und wir zeigen in beiden Fällen wie der komplette geheime Schlüssel mit einigen wenigen Fehlerinjektionen rekonstruiert werden kann. Darüber hinaus untersuchen wir Methoden, die algebraische statt differenzielle Techniken der Fehleranalyse einsetzen und diskutieren deren Vor- und Nachteile. Am Ende des ersten Teils der Dissertation befassen wir uns mit fehlerbasierten Angriffen auf die Blockchiffre Bel-T, welche ebenfalls eine leichtgewichtige Schlüsselexpansion besitzt jedoch nicht auf einem Substitutions-Permutations Netzwerk sondern auf dem sogenannten Lai-Massey Schema basiert. Die oben genannten Techniken können daher bei Bel-T nicht angewandt werden. Nichtsdestotrotz werden wir auch für den Fall von Bel-T Verfahren vorstellen, die in der Lage sind den vollständigen geheimen Schlüssel sehr effizient mit Hilfe von differenzieller Fehleranalyse zu rekonstruieren. Im zweiten Teil der Doktorarbeit beschäftigen wir uns mit authentifizierenden Verschlüsselungsverfahren. Während gewöhnliche Chiffren nur die Vertraulichkeit der verarbeiteten Daten sicherstellen, gewährleisten authentifizierende Verschlüsselungsverfahren auch deren Authentizität und Integrität. Viele dieser Chiffren sind darüber hinaus in der Lage auch die Authentizität und Integrität von sogenannten assoziierten Daten zu gewährleisten. Daten dieses Typs werden in nicht-verschlüsselter Form übertragen, müssen aber dennoch gegen unbefugte Veränderungen auf dem Transportweg geschützt sein. Authentifizierende Verschlüsselungsverfahren bilden heutzutage die Standardtechnologie um Daten während der Übertragung zu beschützen. Aktuell eingesetzte Verfahren weisen jedoch oftmals Defizite auf und es existieren vielfältige Ansatzpunkte für Verbesserungen. Mit NORX stellen wir ein neuartiges authentifizierendes Verschlüsselungsverfahren vor, welches assoziierte Daten unterstützt. Dieser Algorithmus wurde vor allem im Hinblick auf Einsatzgebiete mit hohen Sicherheitsanforderungen, Effizienz in Hardware und Software, Einfachheit, und Robustheit gegenüber Seitenkanalangriffen entwickelt. Neben der Spezifikation präsentieren wir besondere Eigenschaften, angestrebte Sicherheitsziele, Details zur Implementierung, umfassende Performanz-Messungen und diskutieren Vorteile gegenüber aktuellen Standards. Schließlich stellen wir Ergebnisse unserer vorläufigen Sicherheitsanalyse vor, bei der wir uns vor allem auf differenzielle Merkmale und Rotationseigenschaften von NORX konzentrieren. Erwähnenswert sind dabei vor allem die für die differenzielle Kryptoanalyse von NORX entwickelten Techniken, die auf die Effizienz von SAT- und SMT-Solvern zurückgreifen und das Potential besitzen relativ einfach auch auf andere Verschlüsselungsverfahren übertragen werden zu können

Sistema de arquivos criptográfico com aceleração especulativa em GPU

Orientador: Dr. Wagner Machado Nunan ZolaCoorientador: Dr. Luis Carlos Erpen de BonaDissertação (mestrado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa : Curitiba, 03/09/2018Inclui referênciasÁrea de concentração: Ciência da ComputaçãoResumo: A informação pode assumir um caráter valioso em diversas situações, inclusive ao ser armazenada em formato digital. É comum encontrar diversos sistemas de armazenamento de dados que se preocupam em cumprir com algumas propriedades básicas da segurança da informação. Geralmente utilizam técnicas de criptografia, principalmente a da cifragem simétrica. A utilização de criptografia pode exigir quantidades significativas de processamento em CPUs. Consequentemente, sistemas de armazenamento criptográficos podem se tornar grandes consumidores de recursos de processamento e ser impactados por outras aplicações ao concorrer pelo uso da CPU. Uma forma alternativa ao processamento em CPUs é o processamento paralelo utilizando múltiplos processadores de placas gráficas (GPUs). Um dos algoritmos de cifragem simétrica mais utilizados é o AES e sua aceleração em GPUs foi amplamente estudada. Um desses estudos resultou na criação do WAES e de sua biblioteca WAESlib, que permite executar funções de cifragem do AES em GPUs. O funcionamento do WAES está baseado no modo de operação CTR, o qual consiste em regras que orientam como devem ser aplicados os algoritmos de cifragem visando manter o processo de cifragem seguro. As principais vantagens do modo CTR são ser totalmente paralelizável e permitir realizar a etapa inicial do processo de cifragem de forma antecipada, gerando máscaras de cifragem. Procurando se beneficiar dessas vantagens, este trabalho explora a utilização do modo CTR, aplicando-o na implementação do sistema de arquivos criptográfico EncFS++. A biblioteca WAESlib foi utilizada para auxiliar no processo de implementação. Na primeira etapa deste trabalho foi implementado o modo CTR, onde foram tratadas questões relacionadas a um componente essencial do modo CTR denominado nonce. Foram criadas e implementadas técnicas que lidam com a geração, armazenamento e gerenciamento de nonces. Na segunda etapa foram criadas e implementadas técnicas relacionadas ao gerenciamento dos contextos de cifragem, procurando realizar a cifragem especulativa de forma eficiente, gerando as máscaras de cifragem na GPU com o tempo de antecedência adequado. Foram realizadas análises de desempenho envolvendo vazão, tempo de execução e latência na implementação resultante da primeira etapa, bem como vazão e utilização de CPU na implementação da segunda. Os resultados da primeira etapa demonstram que a simples utilização do modo CTR traz ganhos significativos de desempenho principalmente nas operações de escrita. Os resultados da segunda etapa demonstram que os ganhos podem ser ampliados, inclusive nas operações de leitura sequencial, com a produção especulativa das máscaras de cifragem e seu processamento em GPU. Em ambientes que não utilizam processadores com aceleração das funções criptográficas do AES, os ganhos são bem significativos, inclusive resultando em utilização mais eficiente da CPU.Abstract: Information can be valuable in many situations, including when is stored in digital format. It is common to find several storage systems that try to comply with some basic information security properties. For those purposes, they use cryptographic techniques, mainly symmetric encryption. The use of cryptography may require significant amounts of processing on CPUs. As a result, cryptographic storage systems can become large consumers of processing resources and be impacted by other applications when competing for CPU usage. An alternative to CPU processing is parallel processing using multiple graphics processing units (GPUs). One of the most widely used symmetric encryption algorithms is AES and its acceleration in GPUs has been extensively studied. One of these studies resulted in the creation of WAES and its library named WAESlib, which allows execution of AES encryption functions on GPUs. The operation of WAES is based on CTR operation mode, which consists of rules that guide how encryption algorithms should be applied in order to keep the encryption process safe.The main advantages of CTR mode are to be fully parallelizable and allow to carry out the initial step of the encryption process in advance, generating encryption masks. In order to benefit from these features, this work explores the use of CTR mode, applying it in the implementation of a cryptographic filesystem named EncFS++. TheWAESlib library was used to aid in the implementation process. In the first part of this work, CTR mode was implemented and issues related to an essential component of CTR mode known as nonce were addressed. Techniques have been created and implemented to deal with the generation, storage and management of nonces. In the second part, techniques related to the management of the encryption contexts have been created and implemented, aiming to perform the speculative encryption in an efficient way, generating the encryption masks in the GPU with adequate time in advance. Performance analysis were conducted measuring throughput, execution time and latency in the implementation resulting from the first part, as well as throughput and CPU utilization in the implementation of the second one. The performance analysis results of the first part demonstrate that the simple use of CTR mode brings significant performance gains, mainly in write operations. The performance analysis results of the second part demonstrate that gains can be enhanced, including in sequential read operations, with the speculative encryption of masks and its processing in GPU. In environments that do not use processors with accelerated AES cryptographic functions, gains in throughput were quite significant and a more efficient CPU utilization were obtained

Analysis and design of symmetric cryptographic algorithms

This thesis is concerned with the analysis and design of symmetric cryptographic algorithms, with a focus on real-world algorithms. The first part describes original cryptanalysis results, including: The first nontrivial preimage attacks on the (reduced) hash function MD5, and on the full HAVAL. Our results were later improved by Sasaki and Aoki, giving a preimage attack on the full MD5. The best key-recovery attacks so far on reduced versions of the stream cipher Salsa20, selected by the European Network of Excellence ECRYPT as a recommendation for software applications, and one of the two ciphers (with AES) in the NaCl cryptographic library. The academic break of the block cipher MULTI2, used in the Japanese digital-TV standard ISDB. While MULTI2 was designed in 1988, our results are the first analysis of MULTI2 to appear as an international publication. We then present a general framework for distinguishers on symmetric cryptographic algorithms, based on the cube attacks of Dinur and Shamir: our cube testers build on algebraic property-testing algorithms to mount distinguishers on algorithms that possess some efficiently testable structure. We apply cube testers to some well known algorithms: On the compression function of MD6, we distinguish 18 rounds (out of 80) from a random function. On the stream cipher Trivium, we obtain the best distinguisher known so far, reaching 885 rounds out of 1152. On the stream cipher Grain-128, using FPGA devices to run high-complexity attacks, we obtain the best distinguisher known so far, and can conjecture the existence of a shortcut attack on the full Grain-128. These results were presented at FSE 2008, SAC 2008, FSE 2009, and SHARCS 2009. The second part of this thesis presents a new hash function, called BLAKE, which we submitted to the NIST Hash Competition. Besides a complete specification, we report on our implementations of BLAKE in hardware and software, and present a preliminary security analysis. As of August 2009, BLAKE is one of the 14 submissions accepted as Second Round Candidates by NIST, and no attack on BLAKE is known