On Some Symmetric Lightweight Cryptographic Designs

This dissertation presents cryptanalysis of several symmetric lightweight primitives, both stream ciphers and block ciphers. Further, some aspects of authentication in combination with a keystream generator is investigated, and a new member of the Grain family of stream ciphers, Grain-128a, with built-in support for authentication is presented. The first contribution is an investigation of how authentication can be provided at a low additional cost, assuming a synchronous stream cipher is already implemented and used for encryption. These findings are then used when presenting the latest addition to the Grain family of stream ciphers, Grain-128a. It uses a 128-bit key and a 96-bit initialization vector to generate keystream, and to possibly also authenticate the plaintext. Next, the stream cipher BEAN, superficially similar to Grain, but notably using a weak output function and two feedback with carry shift registers (FCSRs) rather than linear and (non-FCSR) nonlinear feedback shift registers, is cryptanalyzed. An efficient distinguisher and a state-recovery attack is given. It is shown how knowledge of the state can be used to recover the key in a straightforward way. The remainder of this dissertation then focuses on block ciphers. First, a related-key attack on KTANTAN is presented. The attack notably uses only a few related keys, runs in less than half a minute on a current computer, and directly contradicts the designers' claims. It is discussed why this is, and what can be learned from this. Next, PRINTcipher is subjected to linear cryptanalysis. Several weak key classes are identified and it is shown how several observations of the same statistical property can be made for each plaintext--ciphertext pair. Finally, the invariant subspace property, first observed for certain key classes in PRINTcipher, is investigated. In particular, its connection to large linear biases is studied through an eigenvector which arises inside the cipher and leads to trail clustering in the linear hull which, under reasonable assumptions, causes a significant number of large linear biases. Simulations on several versions of PRINTcipher are compared to the theoretical findings

Ongoing Research Areas in Symmetric Cryptography

This report is a deliverable for the ECRYPT European network of excellence in cryptology. It gives a brief summary of some of the research trends in symmetric cryptography at the time of writing. The following aspects of symmetric cryptography are investigated in this report: • the status of work with regards to different types of symmetric algorithms, including block ciphers, stream ciphers, hash functions and MAC algorithms (Section 1); • the recently proposed algebraic attacks on symmetric primitives (Section 2); • the design criteria for symmetric ciphers (Section 3); • the provable properties of symmetric primitives (Section 4); • the major industrial needs in the area of symmetric cryptography (Section 5)

D.STVL.9 - Ongoing Research Areas in Symmetric Cryptography

This report gives a brief summary of some of the research trends in symmetric cryptography at the time of writing (2008). The following aspects of symmetric cryptography are investigated in this report: • the status of work with regards to different types of symmetric algorithms, including block ciphers, stream ciphers, hash functions and MAC algorithms (Section 1); • the algebraic attacks on symmetric primitives (Section 2); • the design criteria for symmetric ciphers (Section 3); • the provable properties of symmetric primitives (Section 4); • the major industrial needs in the area of symmetric cryptography (Section 5)

Analyse et Conception d'Algorithmes de Chiffrement Légers

The work presented in this thesis has been completed as part of the FUI Paclido project, whose aim is to provide new security protocols and algorithms for the Internet of Things, and more specifically wireless sensor networks. As a result, this thesis investigates so-called lightweight authenticated encryption algorithms, which are designed to fit into the limited resources of constrained environments. The first main contribution focuses on the design of a lightweight cipher called Lilliput-AE, which is based on the extended generalized Feistel network (EGFN) structure and was submitted to the Lightweight Cryptography (LWC) standardization project initiated by NIST (National Institute of Standards and Technology). Another part of the work concerns theoretical attacks against existing solutions, including some candidates of the nist lwc standardization process. Therefore, some specific analyses of the Skinny and Spook algorithms are presented, along with a more general study of boomerang attacks against ciphers following a Feistel construction.Les travaux présentés dans cette thèse s’inscrivent dans le cadre du projet FUI Paclido, qui a pour but de définir de nouveaux protocoles et algorithmes de sécurité pour l’Internet des Objets, et plus particulièrement les réseaux de capteurs sans fil. Cette thèse s’intéresse donc aux algorithmes de chiffrements authentifiés dits à bas coût ou également, légers, pouvant être implémentés sur des systèmes très limités en ressources. Une première partie des contributions porte sur la conception de l’algorithme léger Lilliput-AE, basé sur un schéma de Feistel généralisé étendu (EGFN) et soumis au projet de standardisation international Lightweight Cryptography (LWC) organisé par le NIST (National Institute of Standards and Technology). Une autre partie des travaux se concentre sur des attaques théoriques menées contre des solutions déjà existantes, notamment un certain nombre de candidats à la compétition LWC du NIST. Elle présente donc des analyses spécifiques des algorithmes Skinny et Spook ainsi qu’une étude plus générale des attaques de type boomerang contre les schémas de Feistel

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms

In this thesis, I present the research I did with my co-authors on several aspects of symmetric cryptography from May 2013 to December 2016, that is, when I was a PhD student at the university of Luxembourg under the supervision of Alex Biryukov. My research has spanned three different areas of symmetric cryptography. In Part I of this thesis, I present my work on lightweight cryptography. This field of study investigates the cryptographic algorithms that are suitable for very constrained devices with little computing power such as RFID tags and small embedded processors such as those used in sensor networks. Many such algorithms have been proposed recently, as evidenced by the survey I co-authored on this topic. I present this survey along with attacks against three of those algorithms, namely GLUON, PRINCE and TWINE. I also introduce a new lightweight block cipher called SPARX which was designed using a new method to justify its security: the Long Trail Strategy. Part II is devoted to S-Box reverse-engineering, a field of study investigating the methods recovering the hidden structure or the design criteria used to build an S-Box. I co-invented several such methods: a statistical analysis of the differential and linear properties which was applied successfully to the S-Box of the NSA block cipher Skipjack, a structural attack against Feistel networks called the yoyo game and the TU-decomposition. This last technique allowed us to decompose the S-Box of the last Russian standard block cipher and hash function as well as the only known solution to the APN problem, a long-standing open question in mathematics. Finally, Part III presents a unifying view of several fields of symmetric cryptography by interpreting them as purposefully hard. Indeed, several cryptographic algorithms are designed so as to maximize the code size, RAM consumption or time taken by their implementations. By providing a unique framework describing all such design goals, we could design modes of operations for building any symmetric primitive with any form of hardness by combining secure cryptographic building blocks with simple functions with the desired form of hardness called plugs. Alex Biryukov and I also showed that it is possible to build plugs with an asymmetric hardness whereby the knowledge of a secret key allows the privileged user to bypass the hardness of the primitive

Cryptanalysis of Pseudo-random Generators Based on Vectorial FCSRs

978-3-642-34930-0 (Print)International audienceFeedback with Carry Shift Registers (FCSRs) have been first proposed in 2005 by F. Arnault and T. Berger as a promising alternative to LFSRs for the design of stream ciphers. The original proposal called F-FCSR simply filters the content of a FCSR in Galois mode using a linear function. In 2008, Hell and Johannson attacked this version using a method called LFSRization of F-FCSR. This attack is based on the fact that a single feedback bit controls the values of all the carry cells. Thus, a trail of 0 in the feedback bit annihilates the content of the carry register, leading to transform the FCSR into an LFSR during a sufficient amount of time. Following this attack, a new version of F-FCSR was proposed based on a new ring FCSR representation that guarantees that each carry cell depends on a distinct cell of the main register. This new proposal prevents the LFSRization from happening and remains unbroken since 2009. In parallel, Alaillou, Marjane and Mokrane proposed to replace the FCSR in Galois mode of the original proposal by a Vectorial FCSR (V-FCSR) in Galois mode. In this paper, we first introduce a general theoretical framework to show that Vectorial FCSRs could be seen as a particular case of classical FCSRs. Then, we show that Vectorial FCSRs used in Galois mode stay sensitive to the LFSRization of FCSRs. Finally, we demonstrate that hardware implementations of V-FCSRs in Galois mode are less efficient than those based on FCSRs in ring mode

Conception et évaluation des générateurs d'Aléa

Les générateurs de nombres pseudoaléatoires (PRNGs) sont le cœur de nombreux schémas cryptographiques. Des PRNGs inappropriés peuvent totalement affaiblir les systèmes d'information qui sont principalement forts. Dans cette thèse, nous considérons d une part les générateurs cryptographiques basés sur les registres à décalage à rétroaction avec retenues (FCSRs), introduits pour la première fois par A. Klapper et al. En 1993, et d'autre part les générateurs cryptographiquement sûrs notamment le DEC-PRNG (Dual Elliptic Curve-PRNGs) récemment introduit et normalisé par le NIST (SP 800-90). En 2005, dans le cadre du projet eSTREAM, F. Arnault et al. Ont proposé une nouvelle famille de chiffrement par flot basée sur des FCSRs filltrés, dont le F-FCSR-H v2 pour la version orientée hardware. Dans le même contexte, nous avons développé une nouvelle conception des FCSRs basée sur une approche vectorielle, les VFCSRs. Pour mettre en application cette nouvelle conception, nous avons conçu et analysé des VFCSRs sur F4 et nous avons proposé une nouvelle famille de chiffrement par flot, les VFCSR Quadratique filtrés (F-VFCSR-Q). Nous avons en particulier développé le chiffrement par flot orienté Hardware F-VFCSR-Q-H. En 2007, dans "Cryptanalysis of the DEC-PRNG", Berry Schoenmakers et al prétendaient que le DEC-PRNG pourrait souffrir d'une vulnérabilité à cause de la déviation à loi uniforme. Notre recherche a abouti à une nouvelle procédure de test basée sur le test de Kolmogorov-Smirnov pour la déviation des lois. Les résultats obtenus infirment ceux de B. Schoenmakers et al. Qui représentait encore la principale faille de DEC-PRNG.Pseudorandom number generators (PRNG) are the heart of many cryptographic schemes. Inappropriate generators can completely weaken the information systems which are mainly strong. In this thesis, we consider the random number generators for cryptography. First, we studied cryptographic generators based on feedback with Carry shift registers (FCSRs), introduced for the first time by A. Klapper and al. in 1993. On the other hand, cryptographically secure generators including the Dual Elliptic Curve pseudo-random number generator (DEC-PRNG) recently introduced and normalized by the NIST (SP 800-90). In 2005, for eSTREAM project, F. Arnault et al. proposed a new family of stream ciphers based on filtered FCSRs, of which the F-FCSR-H v2 for hardware-oriented version. In the same context, we have developed a new design of FCSR-based vectorial approach, the VFCSRs. To implement this new concept, we designed and analyzed VFCSRs over F4 and we have proposed a new family of stream, the filtered Quadratic VFCSRs (F-VFCSR-Q). We have also developed particular stream cipher F-VFCSR-Q-H oriented hardware version. In 2007, in "Cryptanalysis of the Dual Elliptic Curve Pseudorandom generator", Berry Schoenmakers and al. claimed that the DEC-PRNG could suffer from vulnerability because of the deviation from uniform law. We consider this problem of uniformity of the DEC-ECRNG outputs, and we propose a new testing procedure based on the Kolmogorov-Smirnov test for laws deviation. Results obtained by testing several samples invalidate the results obtained by B. Schoenmakers and al which still represented the principal fault of DEC-PRNG.ST DENIS-BU PARIS8 (930662101) / SudocSudocFranceF