Some Results on Distinguishing Attacks on Stream Ciphers

Stream ciphers are cryptographic primitives that are used to ensure the privacy of a message that is sent over a digital communication channel. In this thesis we will present new cryptanalytic results for several stream ciphers. The thesis provides a general introduction to cryptology, explains the basic concepts, gives an overview of various cryptographic primitives and discusses a number of different attack models. The first new attack given is a linear correlation attack in the form of a distinguishing attack. In this attack a specific class of weak feedback polynomials for LFSRs is identified. If the feedback polynomial is of a particular form the attack will be efficient. Two new distinguishing attacks are given on classical stream cipher constructions, namely the filter generator and the irregularly clocked filter generator. It is also demonstrated how these attacks can be applied to modern constructions. A key recovery attack is described for LILI-128 and a distinguishing attack for LILI-II is given. The European network of excellence, called eSTREAM, is an effort to find new efficient and secure stream ciphers. We analyze a number of the eSTREAM candidates. Firstly, distinguishing attacks are described for the candidate Dragon and a family of candidates called Pomaranch. Secondly, we describe resynchronization attacks on eSTREAM candidates. A general square root resynchronization attack which can be used to recover parts of a message is given. The attack is demonstrated on the candidates LEX and Pomaranch. A chosen IV distinguishing attack is then presented which can be used to evaluate the initialization procedure of stream ciphers. The technique is demonstrated on four candidates: Grain, Trivium, Decim and LEX

Practical approach in evaluating the resistance of stream ciphers against algebraic attacks

Stream ciphers are the oldest technique in cryptography subject and still applicable in the modern era as it provides better speed and accuracy during encryption decryption process. It is also easy to be abuse and breakable if the algorithm is not designed properly because its key generator was constructed based on Boolean function which normally using Line Feedback Shift Register technique. Together with secret key, it will generate key stream bit that will be used to encrypt the plaintext into cipher text. Far from that, Algebraic Attacks and Fast Algebraic Attack has become popular among cryptographers as the nature of the attack was to recover the secret key by solving or decomposing the Boolean function that constructed the cryptosystems. This study mainly is to provide a practical way or approach on how to evaluate the resistance of stream ciphers against these two types of attack. As all of us know that cryptography always involve complex discrete arithmetic by nature. As a result, we as non-mathematician computer scientist or information systems practitioner practically leave any cryptographic problems to the mathematician to evaluate and observe the cryptosystems they want to implement. Hence, this case study has also presented some practical method on how to construct an evaluation capability from mathematical formulas designed by mathematician cryptographers. The prototype solution was built using Microsoft Visual Studio VB.Net 2008 and the simulation testing was successfully done and shows similar result when we compare with cryptanalysis report produced by cryptographers

Improving algebraic attacks on stream ciphers based on linear feedback shifter registers over F2kF_{2^k}

In this paper we investigate univariate algebraic attacks on filter generators over extension fields $F_q=F_{2^n}$ with focus on the Welch-Gong (WG) family of stream ciphers. Our main contribution is to break WG-5, WG-7, WG-8 and WG-16 by combining results on the so-called spectral immunity (minimum distance of certain cyclic codes) with properties of the WG type stream cipher construction. The spectral immunity is the univariate analog of algebraic immunity and instead of measuring degree of multiples of a multivariate polynomial, it measures the minimum number of nonzero coefficients of a multiple of a univariate polynomial. Based on the structure of the general WG-construction, we deduce better bounds for the spectral immunity and the univariate analog of algebraic attacks

Design of Stream Ciphers and Cryptographic Properties of Nonlinear Functions

Block and stream ciphers are widely used to protect the privacy of digital information. A variety of attacks against block and stream ciphers exist; the most recent being the algebraic attacks. These attacks reduce the cipher to a simple algebraic system which can be solved by known algebraic techniques. These attacks have been very successful against a variety of stream ciphers and major efforts (for example eSTREAM project) are underway to design and analyze new stream ciphers. These attacks have also raised some concerns about the security of popular block ciphers. In this thesis, apart from designing new stream ciphers, we focus on analyzing popular nonlinear transformations (Boolean functions and S-boxes) used in block and stream ciphers for various cryptographic properties, in particular their resistance against algebraic attacks. The main contribution of this work is the design of two new stream ciphers and a thorough analysis of the algebraic immunity of Boolean functions and S-boxes based on power mappings. First we present WG, a family of new stream ciphers designed to obtain a keystream with guaranteed randomness properties. We show how to obtain a mathematical description of a WG stream cipher for the desired randomness properties and security level, and then how to translate this description into a practical hardware design. Next we describe the design of a new RC4-like stream cipher suitable for high speed software applications. The design is compared with original RC4 stream cipher for both security and speed. The second part of this thesis closely examines the algebraic immunity of Boolean functions and S-boxes based on power mappings. We derive meaningful upper bounds on the algebraic immunity of cryptographically significant Boolean power functions and show that for large input sizes these functions have very low algebraic immunity. To analyze the algebraic immunity of S-boxes based on power mappings, we focus on calculating the bi-affine and quadratic equations they satisfy. We present two very efficient algorithms for this purpose and give new S-box constructions that guarantee zero bi-affine and quadratic equations. We also examine these S-boxes for their resistance against linear and differential attacks and provide a list of S-boxes based on power mappings that offer high resistance against linear, differential, and algebraic attacks. Finally we investigate the algebraic structure of S-boxes used in AES and DES by deriving their equivalent algebraic descriptions

Design and Cryptanalysis of Lightweight Symmetric Key Primitives

The need for lightweight cryptographic primitives to replace the traditional standardized primitives such as AES, SHA-2 and SHA-3, which are unrealistic in constrained environments, has been anticipated by the cryptographic community for over a decade and half. Such an anticipation came to reality by the apparent proliferation of Radio Frequency Identifiers (RFIDs), Internet of Things (IoT), smart devices and sensor networks in our daily lives. All these devices operate in constrained environments and require reasonable efficiency with low implementation costs and sufficient security. Accordingly, designing lightweight symmetric key cryptographic primitives and analyzing the state-of-the-art algorithms is an active area of research for both academia and industry, which is directly followed by the ongoing National Institute of Standards and Technology’s lightweight cryptography (NIST LWC) standardization project. In this thesis, we focus on the design and security analysis of such primitives. First, we present the design of four lightweight cryptographic permutations, namely sLiSCP, sLiSCP-light, ACE and WAGE. At a high level, these permutations adopt a Nonlinear Feedback Shift Register (NLFSR) based design paradigm. sLiSCP, sLiSCP-light and ACE use reduced-round Simeck block cipher, while WAGE employs Welch-Gong (WG) permutation and two 7-bit sboxes over the finite field $F_{2^7}$ as their underlying nonlinear components. We discuss their design rationale and analyze the security with respect to differential and linear, integral and symmetry based distinguishers using automated tools such as Mixed Integer Linear Programming (MILP) and SAT/SMT solvers. Second, we show the applications of these permutations to achieve Authenticated Encryption with Associated Data (AEAD), Message Authentication Code (MAC), Pseudorandom Bit Generator (PRBG) and Hash functionalities. We introduce the idea of the unified round function, which, when combined in a sponge mode can provide all the aforementioned functionalities with the same circuitry. We give concrete instantiations of several AEAD and hash schemes with varying security levels, e.g., 80, 96, 112 and 128 bits. Next, we present Spoc, a new AEAD mode of operation which offers higher security guarantees compared to traditional sponge-based AEAD schemes with smaller states. We instantiate Spoc with sLiSCP-light permutation and propose another two lightweight AEAD algorithms. Notably, 4 of our proposed schemes, namely ACE, Spix, Spoc and WAGE are round 2 candidates of NIST’s LWC project. Finally, we present cryptanalytic results on some lightweight ciphers. We first analyze the nonlinear initialization phase of WG-5 stream cipher using the division property based cube attack, and give a key recovery attack on 24 (out of 64) rounds with data and time complexities $2^{6.32}$ and $2^{76:81}$, respectively. Next, we propose a novel property of block ciphers called correlated sequences and show its applications to meet-in-the-middle attack. Consequently, we give the best key recovery attacks (up to 27 out of 32 rounds in a single key setting) on Simon and Simeck ciphers with block and key sizes 32 and 64 bits, respectively. The attack requires 3 known plaintext-ciphertext pairs and has a time complexity close to average exhaustive search. It is worth noting that variants of WG-5 and Simeck are the core components of aforementioned AEAD and hash schemes. Lastly, we present practical forgery attacks on Limdolen and HERN which are round 1 candidates of NIST LWC project. We show the existence of structural weaknesses which could be exploited to forge any message with success probability of 1. For Limdolen, we require the output of a single encryption query while for HERN we need at most 4 encryption queries for a valid forgery. Following our attack, both designs are eliminated from second round

A Flexible Ultralight Hardware Security Module for EPC RFID Tags

Due to the rapid growth of using Internet of Things (IoT) devices in daily life, the need to achieve an acceptable level of security and privacy for these devices is rising. Security risks may include privacy threats like gaining sensitive information from a device, and authentication problems from counterfeit or cloned devices. It is more challenging to add security features to extremely constrained devices, such as passive Electronic Product Code (EPC) Radio Frequency Identification (RFID) tags, compared to devices that have more computational and storage capabilities. EPC RFID tags are simple and low-cost electronic circuits that are commonly used in supply chains, retail stores, and other applications to identify physical objects. Most tags today are simple "license plates" that just identify the object they are attached to and have minimal security. Due to the security risks of new applications, there is an important need to implement secure RFID tags. Examples of the security risks for these applications include unauthorized physical tracking and inventorying of tags. The current commercial RFID tag designs use specialised hardware circuits approach. This approach can achieve the lowest area and power consumption; however, it lacks flexibility. This thesis presents an optimized application-specific instruction set architecture (ISA) for an ultralight Hardware Security Module (HSM). HSMs are computing devices that protect cryptographic keys and operations for a device. The HSM combines all security-related functions for passive RFID tag. The goal of this research is to demonstrate that using an application-specific instruction set processor (ASIP) architecture for ultralight HSMs provides benefits in terms of trade-offs between flexibility, extensibility, and efficiency. Our novel application specific instruction-set architecture allows flexibility on many design levels and achieves acceptable security level for passive EPC RFID tag. Our solution moves a major design effort from hardware to software, which largely reduces the final unit cost. Our ASIP processor can be implemented with 4,662 gate equivalent units (GEs) for 65 nm CMOS technology excluding cryptographic units and memories. We integrated and analysed four cryptographic modules: AES and Simeck block ciphers, WG-5 stream cipher, and ACE authenticated encryption module. Our HSM achieves very good efficiencies for both block and stream ciphers. Specifically for the AES cipher, we improve over a previous programmable AES implementation result by 32x. We increase performance dramatically and increase/decrease area by 17.97/17.14% respectively. These results fulfill the requirements of extremely constrained devices and allow the inclusion of cryptographic units into the datapath of our ASIP processor