Analysis of Impossible, Integral and Zero-Correlation Attacks on Type-II Generalized Feistel Networks using the Matrix Method

While some recent publications have shown some strong relations between impossible differential and zero-correlation distinguishers as well as between zero-correlation and integral distinguishers, we analyze in this paper some relation between the underlying key-recovery attacks against Type-II Feistel networks. The results of this paper are build on the relation presented at ACNS 2013. In particular, using a matrix representation of the round function, we show that we can not only find impossible, integral and multidimensional zero-correlation distinguishers but also find the key-words involved in the underlined key-recovery attacks. Based on this representation, for matrix-method-derived strongly-related zero-correlation and impossible distinguishers, we show that the key-words involved in the zero-correlation attack is a subset of the key-words involved in the impossible differential attack. Other relations between the key-words involved in zero-correlation, impossible and integral attacks are also extracted. Also we show that in this context the data complexity of the multidimensional zero-correlation attack is larger than that of the other two attacks

Design and Cryptanalysis of Symmetric-Key Algorithms in Black and White-box Models

Cryptography studies secure communications. In symmetric-key cryptography, the communicating parties have a shared secret key which allows both to encrypt and decrypt messages. The encryption schemes used are very efficient but have no rigorous security proof. In order to design a symmetric-key primitive, one has to ensure that the primitive is secure at least against known attacks. During 4 years of my doctoral studies at the University of Luxembourg under the supervision of Prof. Alex Biryukov, I studied symmetric-key cryptography and contributed to several of its topics. Part I is about the structural and decomposition cryptanalysis. This type of cryptanalysis aims to exploit properties of the algorithmic structure of a cryptographic function. The first goal is to distinguish a function with a particular structure from random, structure-less functions. The second goal is to recover components of the structure in order to obtain a decomposition of the function. Decomposition attacks are also used to uncover secret structures of S-Boxes, cryptographic functions over small domains. In this part, I describe structural and decomposition cryptanalysis of the Feistel Network structure, decompositions of the S-Box used in the recent Russian cryptographic standard, and a decomposition of the only known APN permutation in even dimension. Part II is about the invariant-based cryptanalysis. This method became recently an active research topic. It happened mainly due to recent extreme cryptographic designs, which turned out to be vulnerable to this cryptanalysis method. In this part, I describe an invariant-based analysis of NORX, an authenticated cipher. Further, I show a theoretical study of linear layers that preserve low-degree invariants of a particular form used in the recent attacks on block ciphers. Part III is about the white-box cryptography. In the white-box model, an adversary has full access to the cryptographic implementation, which in particular may contain a secret key. The possibility of creating implementations of symmetric-key primitives secure in this model is a long-standing open question. Such implementations have many applications in industry; in particular, in mobile payment systems. In this part, I study the possibility of applying masking, a side-channel countermeasure, to protect white-box implementations. I describe several attacks on direct application of masking and provide a provably-secure countermeasure against a strong class of the attacks. Part IV is about the design of symmetric-key primitives. I contributed to design of the block cipher family SPARX and to the design of a suite of cryptographic algorithms, which includes the cryptographic permutation family SPARKLE, the cryptographic hash function family ESCH, and the authenticated encryption family SCHWAEMM. In this part, I describe the security analysis that I made for these designs

Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis

As two important cryptanalytic methods, impossible differential cryptanalysis and integral cryptanalysis have attracted much attention in recent years. Although relations among other important cryptanalytic approaches have been investigated, the link between these two methods has been missing. The motivation in this paper is to fix this gap and establish links between impossible differential cryptanalysis and integral cryptanalysis. Firstly, by introducing the concept of structure and dual structure, we prove that $a\rightarrow b$ is an impossible differential of a structure $\mathcal E$ if and only if it is a zero correlation linear hull of the dual structure $\mathcal E^\bot$. More specifically, constructing a zero correlation linear hull of a Feistel structure with $SP$-type round function where $P$ is invertible, is equivalent to constructing an impossible differential of the same structure with $P^T$ instead of $P$. Constructing a zero correlation linear hull of an SPN structure is equivalent to constructing an impossible differential of the same structure with $(P^{-1})^T$ instead of $P$. Meanwhile, our proof shows that the automatic search tool presented by Wu and Wang could find all impossible differentials of both Feistel structures with $SP$-type round functions and SPN structures, which is useful in provable security of block ciphers against impossible differential cryptanalysis. Secondly, by establishing some boolean equations, we show that a zero correlation linear hull always indicates the existence of an integral distinguisher while a special integral implies the existence of a zero correlation linear hull. With this observation we improve the integral distinguishers of Feistel structures by $1$ round, build a $24$-round integral distinguisher of CAST-$256$ based on which we propose the best known key recovery attack on reduced round CAST-$256$ in the non-weak key model, present a $12$-round integral distinguisher of SMS4 and an $8$-round integral distinguisher of Camellia without $FL/FL^{-1}$. Moreover, this result provides a novel way for establishing integral distinguishers and converting known plaintext attacks to chosen plaintext attacks. Finally, we conclude that an $r$-round impossible differential of $\mathcal E$ always leads to an $r$-round integral distinguisher of the dual structure $\mathcal E^\bot$. In the case that $\mathcal E$ and $\mathcal E^\bot$ are linearly equivalent, we derive a direct link between impossible differentials and integral distinguishers of $\mathcal E$. Specifically, we obtain that an $r$-round impossible differential of an SPN structure, which adopts a bit permutation as its linear layer, always indicates the existence of an $r$-round integral distinguisher. Based on this newly established link, we deduce that impossible differentials of SNAKE(2), PRESENT, PRINCE and ARIA, which are independent of the choices of the $S$-boxes, always imply the existence of integral distinguishers. Our results could help to classify different cryptanalytic tools. Furthermore, when designing a block cipher, the designers need to demonstrate that the cipher has sufficient security margins against important cryptanalytic approaches, which is a very tough task since there have been so many cryptanalytic tools up to now. Our results certainly facilitate this security evaluation process

Improvements for Finding Impossible Differentials of Block Cipher Structures

We improve Wu and Wang’s method for finding impossible differentials of block cipher structures. This improvement is more general than Wu and Wang’s method where it can find more impossible differentials with less time. We apply it on Gen-CAST256, Misty, Gen-Skipjack, Four-Cell, Gen-MARS, SMS4, MIBS, Camellia⁎, LBlock, E2, and SNAKE block ciphers. All impossible differentials discovered by the algorithm are the same as Wu’s method. Besides, for the 8-round MIBS block cipher, we find 4 new impossible differentials, which are not listed in Wu and Wang’s results. The experiment results show that the improved algorithm can not only find more impossible differentials, but also largely reduce the search time

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms

In this thesis, I present the research I did with my co-authors on several aspects of symmetric cryptography from May 2013 to December 2016, that is, when I was a PhD student at the university of Luxembourg under the supervision of Alex Biryukov. My research has spanned three different areas of symmetric cryptography. In Part I of this thesis, I present my work on lightweight cryptography. This field of study investigates the cryptographic algorithms that are suitable for very constrained devices with little computing power such as RFID tags and small embedded processors such as those used in sensor networks. Many such algorithms have been proposed recently, as evidenced by the survey I co-authored on this topic. I present this survey along with attacks against three of those algorithms, namely GLUON, PRINCE and TWINE. I also introduce a new lightweight block cipher called SPARX which was designed using a new method to justify its security: the Long Trail Strategy. Part II is devoted to S-Box reverse-engineering, a field of study investigating the methods recovering the hidden structure or the design criteria used to build an S-Box. I co-invented several such methods: a statistical analysis of the differential and linear properties which was applied successfully to the S-Box of the NSA block cipher Skipjack, a structural attack against Feistel networks called the yoyo game and the TU-decomposition. This last technique allowed us to decompose the S-Box of the last Russian standard block cipher and hash function as well as the only known solution to the APN problem, a long-standing open question in mathematics. Finally, Part III presents a unifying view of several fields of symmetric cryptography by interpreting them as purposefully hard. Indeed, several cryptographic algorithms are designed so as to maximize the code size, RAM consumption or time taken by their implementations. By providing a unique framework describing all such design goals, we could design modes of operations for building any symmetric primitive with any form of hardness by combining secure cryptographic building blocks with simple functions with the desired form of hardness called plugs. Alex Biryukov and I also showed that it is possible to build plugs with an asymmetric hardness whereby the knowledge of a secret key allows the privileged user to bypass the hardness of the primitive

Towards the Links of Cryptanalytic Methods on MPC/FHE/ZK-Friendly Symmetric-Key Primitives

Symmetric-key primitives designed over the prime field $\mathbb{F}_p$ with odd characteristics, rather than the traditional $\mathbb{F}_2^{n}$, are becoming the most popular choice for MPC/FHE/ZK-protocols for better efficiencies. However, the security of $\mathbb{F}_p$ is less understood as there are highly nontrivial gaps when extending the cryptanalysis tools and experiences built on $\mathbb{F}_2^{n}$ in the past few decades to $\mathbb{F}_p$. At CRYPTO 2015, Sun et al. established the links among impossible differential, zero-correlation linear, and integral cryptanalysis over $\mathbb{F}_2^{n}$ from the perspective of distinguishers. In this paper, following the definition of linear correlations over $\mathbb{F}_p$ by Baignéres, Stern and Vaudenay at SAC 2007, we successfully establish comprehensive links over $\mathbb{F}_p$, by reproducing the proofs and offering alternatives when necessary. Interesting and important differences between $\mathbb{F}_p$ and $\mathbb{F}_2^n$ are observed. - Zero-correlation linear hulls can not lead to integral distinguishers for some cases over $\mathbb{F}_p$, while this is always possible over $\mathbb{F}_2^n$ proven by Sun et al.. - When the newly established links are applied to GMiMC, its impossible differential, zero-correlation linear hull and integral distinguishers can be increased by up to 3 rounds for most of the cases, and even to an arbitrary number of rounds for some special and limited cases, which only appeared in $\mathbb{F}_p$. It should be noted that all these distinguishers do not invalidate GMiMC\u27s security claims. The development of the theories over $\mathbb{F}_p$ behind these links, and properties identified (be it similar or different) will bring clearer and easier understanding of security of primitives in this emerging $\mathbb{F}_p$ field, which we believe will provide useful guides for future cryptanalysis and design

Analyse et Conception d'Algorithmes de Chiffrement Légers

The work presented in this thesis has been completed as part of the FUI Paclido project, whose aim is to provide new security protocols and algorithms for the Internet of Things, and more specifically wireless sensor networks. As a result, this thesis investigates so-called lightweight authenticated encryption algorithms, which are designed to fit into the limited resources of constrained environments. The first main contribution focuses on the design of a lightweight cipher called Lilliput-AE, which is based on the extended generalized Feistel network (EGFN) structure and was submitted to the Lightweight Cryptography (LWC) standardization project initiated by NIST (National Institute of Standards and Technology). Another part of the work concerns theoretical attacks against existing solutions, including some candidates of the nist lwc standardization process. Therefore, some specific analyses of the Skinny and Spook algorithms are presented, along with a more general study of boomerang attacks against ciphers following a Feistel construction.Les travaux présentés dans cette thèse s’inscrivent dans le cadre du projet FUI Paclido, qui a pour but de définir de nouveaux protocoles et algorithmes de sécurité pour l’Internet des Objets, et plus particulièrement les réseaux de capteurs sans fil. Cette thèse s’intéresse donc aux algorithmes de chiffrements authentifiés dits à bas coût ou également, légers, pouvant être implémentés sur des systèmes très limités en ressources. Une première partie des contributions porte sur la conception de l’algorithme léger Lilliput-AE, basé sur un schéma de Feistel généralisé étendu (EGFN) et soumis au projet de standardisation international Lightweight Cryptography (LWC) organisé par le NIST (National Institute of Standards and Technology). Une autre partie des travaux se concentre sur des attaques théoriques menées contre des solutions déjà existantes, notamment un certain nombre de candidats à la compétition LWC du NIST. Elle présente donc des analyses spécifiques des algorithmes Skinny et Spook ainsi qu’une étude plus générale des attaques de type boomerang contre les schémas de Feistel

SoK: Security Evaluation of SBox-Based Block Ciphers

Cryptanalysis of block ciphers is an active and important research area with an extensive volume of literature. For this work, we focus on SBox-based ciphers, as they are widely used and cover a large class of block ciphers. While there have been prior works that have consolidated attacks on block ciphers, they usually focus on describing and listing the attacks. Moreover, the methods for evaluating a cipher\u27s security are often ad hoc, differing from cipher to cipher, as attacks and evaluation techniques are developed along the way. As such, we aim to organise the attack literature, as well as the work on security evaluation. In this work, we present a systematization of cryptanalysis of SBox-based block ciphers focusing on three main areas: (1) Evaluation of block ciphers against standard cryptanalytic attacks; (2) Organisation and relationships between various attacks; (3) Comparison of the evaluation and attacks on existing ciphers

Revisiting Lightweight Block Ciphers: Review, Taxonomy and Future directions

Block ciphers have been extremely predominant in the area of cryptography and due to the paradigm shift towards devices of resource constrained nature, lightweight block ciphers have totally influenced the field and has been a go-to option ever since. The growth of resource constrained devices have put forth a dire need for the security solutions that are feasible in terms of resources without taking a toll on the security that they offer. As the world is starting to move towards Internet of Things (IoT), data security and privacy in this environment is a major concern. This is due to the reason that a huge number of devices that operate in this environment are resource constrained. Because of their resource-constrained nature, advanced mainstream cryptographic ciphers and techniques do not perform as efficiently on such devices. This has led to the boom in the field of \u27lightweight cryptography\u27 which aims at developing cryptographic techniques that perform efficiently in a resource constrained environment. Over the period of past two decades or so, a bulk of lightweight block ciphers have been proposed due to the growing need and demand in lightweight cryptography. In this paper, we review the state-of-the-art lightweight block ciphers, present a comprehensive design niche, give a detailed taxonomy with multiple classifications and present future research directions