Some Observations on TWIS Block Cipher

The 128-bit block cipher TWIS was proposed by Ojha et al in 2009. It is a lightweight block cipher and its design is inspired from CLEFIA. In this paper, we first study the properties of TWIS structure, and as an extension we also considered the generalized TWIS-type structure which can be called G-TWIS cipher, where the block size and round number can be arbitrary values. Then we present a series of 10-round differential distinguishers for TWIS and a n-round differential distinguisher for G-TWIS whose probabilities are all equal to 1. Therefore, by utilizing these kinds of differential distinguishers, we can break the full 10-round TWIS cipher and n-round G-TWIS cipher

HARPOCRATES: An Approach Towards Efficient Encryption of Data-at-rest

This paper proposes a new block cipher called HARPOCRATES, which is different from traditional SPN, Feistel, or ARX designs. The new design structure that we use is called the substitution convolution network. The novelty of the approach lies in that the substitution function does not use fixed S-boxes. Instead, it uses a key-driven lookup table storing a permutation of all 8-bit values. If the lookup table is sufficiently randomly shuffled, the round sub-operations achieve good confusion and diffusion to the cipher. While designing the cipher, the security, cost, and performances are balanced, keeping the requirements of encryption of data-at-rest in mind. The round sub-operations are massively parallelizable and designed such that a single active bit may make the entire state (an 8 × 16 binary matrix) active in one round. We analyze the security of the cipher against linear, differential, and impossible differential cryptanalysis. The cipher’s resistance against many other attacks like algebraic attacks, structural attacks, and weak keys are also shown. We implemented the cipher in software and hardware; found that the software implementation of the cipher results in better throughput than many well-known ciphers. Although HARPOCRATES is appropriate for the encryption of data-at-rest, it is also well-suited in data-in-transit environments

Fault-Resilient Lightweight Cryptographic Block Ciphers for Secure Embedded Systems

The development of extremely-constrained environments having sensitive nodes such as RFID tags and nano-sensors necessitates the use of lightweight block ciphers. Indeed, lightweight block ciphers are essential for providing low-cost confidentiality to such applications. Nevertheless, providing the required security properties does not guarantee their reliability and hardware assurance when the architectures are prone to natural and malicious faults. In this thesis, considering false-alarm resistivity, error detection schemes for the lightweight block ciphers are proposed with the case study of XTEA (eXtended TEA). We note that lightweight block ciphers might be better suited for low-resource environments compared to the Advanced Encryption Standard, providing low complexity and power consumption. To the best of the author\u27s knowledge, there has been no error detection scheme presented in the literature for the XTEA to date. Three different error detection approaches are presented and according to our fault-injection simulations for benchmarking the effectiveness of the proposed schemes, high error coverage is derived. Finally, field-programmable gate array (FPGA) implementations of these proposed error detection structures are presented to assess their efficiency and overhead. The proposed error detection architectures are capable of increasing the reliability of the implementations of this lightweight block cipher. The schemes presented can also be applied to lightweight hash functions with similar structures, making the presented schemes suitable for providing reliability to their lightweight security-constrained hardware implementations

Impossible meet-in-the-middle fault analysis on the LED lightweight cipher in VANETs

With the expansion of wireless technology, vehicular ad-hoc networks (VANETs) are emerging as a promising approach for realizing smart cities and addressing many serious traffic problems, such as road safety, convenience, and efficiency. To avoid any possible rancorous attacks, employing lightweight ciphers is most effective for implementing encryption/decryption, message authentication, and digital signatures for the security of the VANETs. Light encryption device (LED) is a lightweight block cipher with two basic keysize variants: LED-64 and LED-128. Since its inception, many fault analysis techniques have focused on provoking faults in the last four rounds to derive the 64-bit and 128-bit secret keys. It is vital to investigate whether injecting faults into a prior round enables breakage of the LED. This study presents a novel impossible meet-in-the-middle fault analysis on a prior round. A detailed analysis of the expected number of faults is used to uniquely determine the secret key. It is based on the propagation of truncated differentials and is surprisingly reminiscent of the computation of the complexity of a rectangle attack. It shows that the impossible meet-in-the-middle fault analysis could successfully break the LED by fault injections

Fallen Sanctuary: A Higher-Order and Leakage-Resilient Rekeying Scheme

This paper presents a provably secure, higher-order, and leakage-resilient (LR) rekeying scheme named LR Rekeying with Random oracle Repetition (LR4), along with a quantitative security evaluation methodology. Many existing LR cryptographies are based on a concept of leveled implementation, which still essentially require a leak-free sanctuary (i.e., differential power analysis (DPA)-resistant component(s)) for some parts. In addition, although several LR pseudorandom functions (PRFs) based on only bounded DPA-resistant components have been developed, their validity and effectiveness for rekeying usage still need to be determined. In contrast, LR4 is formally proven under a leakage model that captures the practical goal of side-channel attack (SCA) protection (e.g., masking with a practical order) and assumes no unbounded DPA-resistant sanctuary. This proof suggests that LR4 resists exponential invocations (up to the birthday bound of key size) without using any unbounded leak-free component, which is the first of its kind. Moreover, we present a quantitative SCA success rate evaluation methodology for LR4 that combines the bounded leakage models for LR cryptography and a state-of-the-art information-theoretical SCA evaluation method. We validate its soundness and effectiveness as a DPA countermeasure through a numerical evaluation; that is, the number of secure calls of a symmetric primitive increases exponentially by increasing a security parameter under practical conditions

Security Analysis of the Signal Protocol

Tato diplomová práce se zabývá studiem protokolu Signal. Zaměřuje se především na použitou kryptografii, funkcionalitu a strukturu protokolu. Práce dále obsahuje analýzu zdrojových kódů oficiální implementace a porovnává stav protokolu s jeho dokumentací. Práce také diskutuje potenciální bezpečnostní slabiny protokolu a formuluje jejich zmírnění či odstranění.This thesis provides a security analysis of the Signal Protocol. The protocol's cryptography, functionality, and structure are discussed. The source codes of the official implementation are analyzed and the protocol's state is compared with the documentation. Finally, the protocol's potential security vulnerabilities are examined and their mitigation or removal is formulated

A Holmes and Doyle Bibliography, Volume 9: All Formats—Combined Alphabetical Listing

This bibliography is a work in progress. It attempts to update Ronald B. De Waal’s comprehensive bibliography, The Universal Sherlock Holmes, but does not claim to be exhaustive in content. New works are continually discovered and added to this bibliography. Readers and researchers are invited to suggest additional content. This volume contains all listings in all formats, arranged alphabetically by author or main entry. In other words, it combines the listings from Volume 1 (Monograph and Serial Titles), Volume 3 (Periodical Articles), and Volume 7 (Audio/Visual Materials) into a comprehensive bibliography. (There may be additional materials included in this list, e.g. duplicate items and items not yet fully edited.) As in the other volumes, coverage of this material begins around 1994, the final year covered by De Waal's bibliography, but may not yet be totally up-to-date (given the ongoing nature of this bibliography). It is hoped that other titles will be added at a later date. At present, this bibliography includes 12,594 items

典型密码分析方法的自动化研究

密码分析作为密码学的一个重要分支，日益受到人们的重视。对密码算法进行分析首先是为了发现密码系统的弱点，以完善加密过程，更有利于信息的安全。另一方面，是为了掌握密码分析者的攻击方法，便于预防他们的攻击。一个密码系统的安全性只有通过对该系统抵抗已知攻击能力的全面分析才能做出定论。因此，进行密码分析是非常必要的。分组密码分析一般包括两步：第一步是寻找密码算法有效的区分器，即找出密码算法的某种非随机性；第二步是利用该区分器恢复密码算法的密钥。因此，构造出有效的区分器是密码分析的重要前提。目前区分器的构造方法是手动或者近乎穷举的搜索算法，效率不高。为了提高区分器的搜索效率，给出更有效的区分器搜索算法是目前较为重要的研究方向。本文对差分分析、飞去来器分析、线性分析、近似碰撞以及猜测确定等分析方法的自动化进行了研究，给出了差分特征、飞去来器区分器、线性特征和猜测确定路线的搜索算法，并利用这些新结果，分析了若干密码算法的安全性。取得的主要研究成果和创新点如下：1. 针对基于S盒的分组密码，给出了Feistel-SP和各种广义Feistel-SP等结构最少差分（线性）活跃S盒个数的差分（线性）活跃模式的搜索算法；利用上述差分（线性）活跃模式，给出了针对Feistel-SP 和各种广义Feistel-SP等结构的最佳差分（线性）特征的搜索算法。针对ARX型分组密码和杂凑函数，给出了线性化差分特征的自动搜索算法。同时，给出了ARX型分组密码和杂凑函数的飞去来器特征的搜索算法。给出了2个猜测确定路线的搜索算法，该搜索算法可以做到比特级，运行速度较快。2. SMS4是我国政府公布的第一个商用分组密码，用于无线局域网产品的安全保护；自2006年公布之后，引起了国内外学术界和产业界的极大关注。通过研究和分析SMS4分组密码的非平衡广义Feistel结构特点和轮函数的扩散性质，本文给出了5轮和6轮轮函数的输入差分和输出差分之间的关系，设计了对于SMS4的差分活跃模式的搜索算法，给出了6、7、8、9、10和12轮SMS4算法最小活跃S盒个数和差分活跃模式。进一步利用差分特征搜索算法给出了19轮有效差分特征；利用19轮差分特征，结合一些分析技巧，给出了23轮SMS4分组密码的差分分析算法。这是目前为止对SMS4分组密码最好的分析结果。3. NIST于2007年发起了SHA-3新杂凑函数标准的公开竞选活动，其主要目的是为了寻找一个替代SHA-2的杂凑函数标准，BLAKE和Skein在SHA-3最后一轮五名候选者当中。它们使用了异或、模加、循环3种运算，我们称之为基于ARX结构的杂凑函数。利用ARX型密码算法线性化差分特征的搜索算法，给出了BLAKE-32的4轮压缩函数的近似碰撞攻击、BLAKE-64的4轮和5轮压缩函数的近似碰撞攻击；进一步，我们给出了Skein-256、Skein-512和Skein-1024的24轮压缩函数的近似碰撞攻击。该攻击结果是目前针对BLAKE和Skein杂凑函数近似碰撞分析中攻击结果最好的。4. 源于RFID、物联网等应用的推动，近几年轻量级密码成为密码学的一个研究热点，先后推出了一系列轻量级分组密码。TWIS是印度学者2009年公布的一个轻量级分组密码，算法借鉴了CLEFIA的设计思想，设计者声称TWIS的安全性与CLEFIA相当，有很好的统计特性和雪崩特性，能抵抗分组密码的很多分析方法。我们给出了TWIS的10轮差分和线性区分器，并且证明了对于TWIS的结构，任意多轮数都能找到概率为1的差分特征，从而证明了TWIS是一个非常脆弱的轻量级分组密码。Cryptanalysis is one of the important part of cryptology, which receive moreattention nowadays. On one hand, the goal of cryptanalysis is to find potentialweaknesses of a cryptographic system, then improve its security. On theother hand, the goal of cryptanalysis is to better understand the cryptanalyticapproaches, then resist such attacks. Only after comprehensive cryptanalysisagainst all kinds of known cryptanalytic approaches, a cryptographic system canbe concluded that it is secure. Therefore, cryptanalysis is very indispensable.Generally, the analysis of a block cipher has two steps. First, constructingeffective distinguishers, that is to say, finding some non-pseudo-randomness ofthe cipher. Second, recovering the seed key using the distinguishers. Hence,the construction of effective distinguishers is a very important precondition ofcryptanalysis. Currently, the method of constructing distinguishers have beenoften hand-made or nearly exhaustive search, which is often inefficient. Therefore,improving the efficiency of the construction of distinguishers and designing moreefficient search algorithm is an important research direction.In this thesis, we focus on the automation of differential cryptanalysis,boomerang attack, linear cryptanalysis, near-collision attack, and guess-anddetermineattack. We give algorithms to search for differential characteristics,boomerang distinguishers, linear approximations and guess-and-determine distinguishers.Using the above results, we analyze the security of some cryptographicalgorithms. The following are our main contributions：1. For some block cipher structures using S-boxes and linear transformation,including Feistel-SP and Generalized Feistel-SP structures, we give a searchalgorithm to calculate the least number of differential and linear active Sboxes.Using the above results, we further give an algorithm to searchfor the best differential and linear characteristics. For ARX-based blockciphers and hash functions, we give an algorithm to automatically searchfor the linear differential characteristics; Moreover, we give an algorithm toautomatically search for the boomerang distinguishers. Finally, we give twoalgorithms to automatically search for the guess-and-determine characteristicsfor non-linear equation sets, the algorithms are efficient and bit-wise.2. SMS4 is the first commercial block cipher released by Chinese government,which is used for security protection of products in wireless local area networks.Since its release in 2006, it has attracted great attention from worldwideacademia and industry. By researching and analyzing features of itsgeneralized Feistel structure and diffusion properties of its round function,we give some relationships between input difference and output differenceof the round function of 5-round and 6-round SMS4. Then, we presenta search algorithm of differential active pattern of SMS4, and give theleast number of differential active S-boxes and differential active patternof 6-,7-,8-,9-,10- and 12-round SMS4. Furthermore, we present differentialcharacteristics for 19-round SMS4. Finally, we present an analytical algorithmof 23-round SMS4 using 19-round differential characteristics andsome analytical techniques. Our results are the best known on SMS4 sofar.3. The National Institute of Standards and Technology (NIST) opened a publiccompetition in 2007 to develop a new cryptographic hash algorithm -SHA-3, which will replace the hash standard SHA-2. Blake and Skein aretwo of the 5 finalists. The two algorithm only uses 3 kinds of operations,i.e., XOR, modular addition and circular shift, which is usually called ARXbasedhash functions. Using the search algorithm of linearized differentialtrails of ARX-based ciphers, we present a near-collision attack on 4-roundcompression function of BLAKE-32, and near-collision attacks on 4- and5-round compression function of BLAKE-64; Moreover, we present nearcollisionattacks on 24-round compression function of Skein-256, Skein-512and Skein-1024. Our results are the best known near-collision attacks onBLAKE and Skein.4. Due to the application development such as RFID and Internet of things,light-weight cryptology is a research focusc of cryptology, a series of lightweightblock ciphers have been proposed. TWIS is a light-weight blockcipher designed by Indian researchers in 2009, which uses the design ideasof CLEFIA block cipher. The designers claimed that the security strengthof TWIS is quite near that of CLEFIA, TWIS has very good statisticaland avanlanche properties, and TWIS can resist many cryptanalytical approachesof block ciphers. However, we can design 10-round differentialand 10-round linear distinguishers of TWIS. Furthermore, we can find somedifferential characteristics with probability 1 for arbitrary rounds of TWISstructure. Our results show that TWIS is a very weak light-weight blockcipher