Cryptanalysis of Reduced round SKINNY Block Cipher

SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint. In this paper, we present zero-correlation linear approximations and the related-tweakey impossible differential characteristics for different versions of SKINNY .We utilize Mixed Integer Linear Programming (MILP) to search all zero-correlation linear distinguishers for all variants of SKINNY, where the longest distinguisher found reaches 10 rounds. Using a 9-round characteristic, we present 14 and 18-round zero correlation attacks on SKINNY-64-64 and SKINNY- 64-128, respectively. Also, for SKINNY-n-n and SKINNY-n-2n, we construct 13 and 15-round related-tweakey impossible differential characteristics, respectively. Utilizing these characteristics, we propose 23-round related-tweakey impossible differential cryptanalysis by applying the key recovery attack for SKINNY-n-2n and 19-round attack for SKINNY-n-n. To the best of our knowledge, the presented zero-correlation characteristics in this paper are the first attempt to investigate the security of SKINNY against this attack and the results on the related-tweakey impossible differential attack are the best reported ones

Cryptanalysis of SKINNY in the Framework of the SKINNY 2018--2019 Cryptanalysis Competition

In April 2018, Beierle et al. launched the 3rd SKINNY cryptanalysis competition, a contest that aimed at motivating the analysis of their recent tweakable block cipher SKINNY . In contrary to the previous editions, the focus was made on practical attacks: contestants were asked to recover a 128-bit secret key from a given set of 2^20 plaintext blocks. The suggested SKINNY instances are 4- to 20-round reduced variants of SKINNY-64-128 and SKINNY-128-128. In this paper, we explain how to solve the challenges for 10-round SKINNY-128-128 and for 12-round SKINNY-64-128 in time equivalent to roughly 2^52 simple operations. Both techniques benefit from the highly biased sets of messages that are provided and that actually correspond to the encryption of various books in ECB mode

Mind the Gap - A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis

Resistance against differential cryptanalysis is an important design criteria for any modern block cipher and most designs rely on finding some upper bound on probability of single differential characteristics. However, already at EUROCRYPT'91, Lai et al. comprehended that differential cryptanalysis rather uses differentials instead of single characteristics. In this paper, we consider exactly the gap between these two approaches and investigate this gap in the context of recent lightweight cryptographic primitives. This shows that for many recent designs like Midori, Skinny or Sparx one has to be careful as bounds from counting the number of active S-boxes only give an inaccurate evaluation of the best differential distinguishers. For several designs we found new differential distinguishers and show how this gap evolves. We found an 8-round differential distinguisher for Skinny-64 with a probability of 2−56.932−56.93, while the best single characteristic only suggests a probability of 2−722−72. Our approach is integrated into publicly available tools and can easily be used when developing new cryptographic primitives. Moreover, as differential cryptanalysis is critically dependent on the distribution over the keys for the probability of differentials, we provide experiments for some of these new differentials found, in order to confirm that our estimates for the probability are correct. While for Skinny-64 the distribution over the keys follows a Poisson distribution, as one would expect, we noticed that Speck-64 follows a bimodal distribution, and the distribution of Midori-64 suggests a large class of weak keys

Security analysis of NIST-LWC contest finalists

Dissertação de mestrado integrado em Informatics EngineeringTraditional cryptographic standards are designed with a desktop and server environment in mind, so, with the relatively recent proliferation of small, resource constrained devices in the Internet of Things, sensor networks, embedded systems, and more, there has been a call for lightweight cryptographic standards with security, performance and resource requirements tailored for the highly-constrained environments these devices find themselves in. In 2015 the National Institute of Standards and Technology began a Standardization Process in order to select one or more Lightweight Cryptographic algorithms. Out of the original 57 submissions ten finalists remain, with ASCON and Romulus being among the most scrutinized out of them. In this dissertation I will introduce some concepts required for easy understanding of the body of work, do an up-to-date revision on the current situation on the standardization process from a security and performance standpoint, a description of ASCON and Romulus, and new best known analysis, and a comparison of the two, with their advantages, drawbacks, and unique traits.Os padrões criptográficos tradicionais foram elaborados com um ambiente de computador e servidor em mente. Com a proliferação de dispositivos de pequenas dimensões tanto na Internet of Things, redes de sensores e sistemas embutidos, apareceu uma necessidade para se definir padrões para algoritmos de criptografia leve, com prioridades de segurança, performance e gasto de recursos equilibrados para os ambientes altamente limitados em que estes dispositivos operam. Em 2015 o National Institute of Standards and Technology lançou um processo de estandardização com o objectivo de escolher um ou mais algoritmos de criptografia leve. Das cinquenta e sete candidaturas originais sobram apenas dez finalistas, sendo ASCON e Romulus dois desses finalistas mais examinados. Nesta dissertação irei introduzir alguns conceitos necessários para uma fácil compreensão do corpo deste trabalho, assim como uma revisão atualizada da situação atual do processo de estandardização de um ponto de vista tanto de segurança como de performance, uma descrição do ASCON e do Romulus assim como as suas melhores análises recentes e uma comparação entre os dois, frisando as suas vantagens, desvantagens e aspectos únicos

Related-Key Impossible-Differential Attack on Reduced-Round Skinny

At CRYPTO’16, Beierle et al. presented SKINNY, a family of lightweight tweakable block ciphers intended to compete with the NSA designs SIMON and SPECK. SKINNY can be implemented efficiently in both soft- and hardware and supports block sizes of 64 and 128 bits as well as tweakey sizes of 64, 128, 192 and 128, 256, 384 bits respectively. This paper presents a related-tweakey impossible-differential attack on up to 23 (out of 36) rounds of SKINNY-64/128 for different tweak sizes. All our attacks can be trivially extended to SKINNY-128/128

Cryptanalysis of Block Ciphers with New Design Strategies

Block ciphers are among the mostly widely used symmetric-key cryptographic primitives, which are fundamental building blocks in cryptographic/security systems. Most of the public-key primitives are based on hard mathematical problems such as the integer factorization in the RSA algorithm and discrete logarithm problem in the DiffieHellman. Therefore, their security are mathematically proven. In contrast, symmetric-key primitives are usually not constructed based on well-defined hard mathematical problems. Hence, in order to get some assurance in their claimed security properties, they must be studied against different types of cryptanalytic techniques. Our research is dedicated to the cryptanalysis of block ciphers. In particular, throughout this thesis, we investigate the security of some block ciphers constructed with new design strategies. These new strategies include (i) employing simple round function, and modest key schedule, (ii) using another input called tweak rather than the usual two inputs of the block ciphers, the plaintext and the key, to instantiate different permutations for the same key. This type of block ciphers is called a tweakable block cipher, (iii) employing linear and non-linear components that are energy efficient to provide low energy consumption block ciphers, (iv) employing optimal diffusion linear transformation layer while following the AES-based construction to provide faster diffusion rate, and (v) using rather weak but larger S-boxes in addition to simple linear transformation layers to provide provable security of ARX-based block ciphers against single characteristic differential and linear cryptanalysis. The results presented in this thesis can be summarized as follows: Initially, we analyze the security of two lightweight block ciphers, namely, Khudra and Piccolo against Meet-in-the-Middle (MitM) attack based on the Demirci and Selcuk approach exploiting the simple design of the key schedule and round function. Next, we investigate the security of two tweakable block ciphers, namely, Kiasu-BC and SKINNY. According to the designers, the best attack on Kiasu-BC covers 7 rounds. However, we exploited the tweak to present 8-round attack using MitM with efficient enumeration cryptanalysis. Then, we improve the previous results of the impossible differential cryptanalysis on SKINNY exploiting the tweakey schedule and linear transformation layer. Afterwards, we study the security of new low energy consumption block cipher, namely, Midori128 where we present the longest impossible differential distinguishers that cover complete 7 rounds. Then, we utilized 4 of these distinguishers to launch key recovery attack against 11 rounds of Midori128 to improve the previous results on this cipher using the impossible differential cryptanalysis. Then, using the truncated differential cryptanalysis, we are able to attack 13 rounds of Midori128 utilizing a 10-round differential distinguisher. We also analyze Kuznyechik, the standard Russian federation block cipher, against MitM with efficient enumeration cryptanalysis where we improve the previous results on Kuznyechik, using MitM attack with efficient enumeration, by presenting 6-round attack. Unlike the previous attack, our attack exploits the exact values of the coefficients of the MDS transformation that is used in the cipher. Finally, we present key recovery attacks using the multidimensional zero-correlation cryptanalysis against SPARX-128, which follows the long trail design strategy, to provide provable security of ARX-based block ciphers against single characteristic differential and linear cryptanalysis

Differential Power Analysis of the SKINNY Family of Block Ciphers

The SKINNY family of lightweight block ciphers is well-researched in terms of standard cryptanalysis, but little has been done in the field of power analysis attacks. By sequentially dividing and conquering, univariate Differential Power Analysis attacks are performed against SKINNY. As the resulting diffusion from MixColumns introduces redundancy in terms of leakage, we introduce an alternative placement scheme for the tweak material in the related-tweakey setting to minimize leakage of the key material.Masteroppgave i informatikkINF399MAMN-INFMAMN-PRO

Residual Vulnerabilities to Power side channel attacks of lightweight ciphers cryptography competition Finalists

The protection of communications between Internet of Things (IoT) devices is of great concern because the information exchanged contains vital sensitive data. Malicious agents seek to exploit those data to extract secret information about the owners or the system. Power side channel attacks are of great concern on these devices because their power consumption unintentionally leaks information correlatable to the device\u27s secret data. Several studies have demonstrated the effectiveness of authenticated encryption with advanced data, in protecting communications with these devices. A comprehensive evaluation of the seven (out of 10) algorithm finalists of the National Institute of Standards and Technology (NIST) IoT lightweight cipher competition that do not integrate built‐in countermeasures is proposed. The study shows that, nonetheless, they still present some residual vulnerabilities to power side channel attacks (SCA). For five ciphers, an attack methodology as well as the leakage function needed to perform correlation power analysis (CPA) is proposed. The authors assert that Ascon, Sparkle, and PHOTON‐Beetle security vulnerability can generally be assessed with the security assumptions “Chosen ciphertext attack and leakage in encryption only, with nonce‐misuse resilience adversary (CCAmL1)” and “Chosen ciphertext attack and leakage in encryption only with nonce‐respecting adversary (CCAL1)”, respectively. However, the security vulnerability of GIFT‐COFB, Grain, Romulus, and TinyJambu can be evaluated more straightforwardly with publicly available leakage models and solvers. They can also be assessed simply by increasing the number of traces collected to launch the attack