Application of Fault Analysis to Some Cryptographic Standards

Cryptanalysis methods can be classified as pure mathematical attacks, such as linear and differential cryptanalysis, and implementation dependent attacks such as power analysis and fault analysis. Pure mathematical attacks exploit the mathematical structure of the cipher to reveal the secret key inside the cipher. On the other hand, implementation dependent attacks assume that the attacker has access to the cryptographic device to launch the attack. Fault analysis is an example of a side channel attack in which the attacker is assumed to be able to induce faults in the cryptographic device and observe the faulty output. Then, the attacker tries to recover the secret key by combining the information obtained from the faulty and the correct outputs. Even though fault analysis attacks may require access to some specialized equipment to be able to insert faults at specific locations or at specific times during the computation, the resulting attacks usually have time and memory complexities which are far more practical as compared to pure mathematical attacks. Recently, several AES-based primitives were approved as new cryptographic standards throughout the world. For example, Kuznyechik was approved as the standard block cipher in Russian Federation, and Kalyna and Kupyna were approved as the standard block cipher and the hash function, respectively, in Ukraine. Given the importance of these three new primitives, in this thesis, we analyze their resistance against fault analysis attacks. Firstly, we modified a differential fault analysis (DFA) attack that was applied on AES and applied it on Kuzneychik. Application of DFA on Kuznyechik was not a trivial task because of the linear transformation layer used in the last round of Kuznyechik. In order to bypass the effect of this linear transformation operation, we had to use an equivalent representation of the last round which allowed us to recover the last two round keys using a total of four faults and break the cipher. Secondly, we modified the attack we applied on Kuzneychik and applied it on Kalyna. Kalyna has a complicated key scheduling and it uses modulo 264 addition operation for applying the first and last round keys. This makes Kalyna more resistant to DFA as com- pared to AES and Kuznyechik but it is still practically breakable because the number of key candidates that can be recovered by DFA can be brute-forced in a reasonable time. We also considered the case where the SBox entries of Kalyna are not known and showed how to recover a set of candidates for the SBox entries. Lastly, we applied two fault analysis attacks on Kupyna hash function. In the first case, we assumed that the SBoxes and all the other function parameters are known, and in the second case we assumed that the SBoxes were kept secret and attacked the hash function accordingly. Kupyna can be used as the underlying hash function for the construction of MAC schemes such as secret IV, secret prefix, HMAC or NMAC. In our analysis, we showed that secret inputs of Kupyna can be recovered using fault analysis. To conclude, we analyzed two newly accepted standard ciphers (Kuznyechik, Kalyna) and one newly approved standard hash function (Kupyna) for their resistance against fault attacks. We also analyzed Kalyna and Kupyna with the assumption that these ciphers can be deployed with secret user defined SBoxes in order to increase their security

Cryptanalysis of the Round-Reduced Kupyna Hash Function

The Kupyna hash function was selected as the new Ukrainian standard DSTU 7564:2014 in 2015. It is designed to replace the old Independent States (CIS) standard GOST 34.311-95. The Kupyna hash function is an AES-based primitive, which uses Merkle-Damgård compression function based on Even-Mansour design. In this paper, we show the first cryptanalytic attacks on the round-reduced Kupyna hash function. Using the rebound attack, we present a collision attack on 5-round of the Kupyna-256 hash function. The complexity of this collision attack is ($2^{120},2^{64}$) (in time and memory). Furthermore, we use guess-and-determine MitM attack to construct pseudo-preimage attacks on 6-round Kupyna-256 and Kupyna-512 hash function, respectively. The complexity of these preimage attacks are ($2^{250.33},2^{250.33}$) and ($2^{498.33},2^{498.33}$) (in time and memory), respectively

Квантовий криптоаналiз геш-функцiї «Купина» iз застосуванням алгоритму Гровера-Саймона

У роботi дослiджено особливостi роботи та внутрiшню структуру геш-функцiї «Купина». Проаналiзовано алгоритми Гровера, Саймона та Гровера-Саймона. На основi аналiзу структури геш-функцiї «Купина» визначено, що функцiю стиснення можна представити як послiдовнiсть схем Iвена-Мансура iз вiдповiдними ключами та перестановкою. Таке представлення дало змогу побудувати атаку на функцiю стиснення за допомогою алгоритму Гровера-Саймона. Отримано оцiнки квантового часу атаки: 5, 6 раундiв функцiї стиснення та довжини входу = 512 бiт – (2173), (2173.24) вiдповiдно; 8 раундiв функцiї стиснення та довжини входу = 1024 бiт – (2344.33). Додатково дослiджено зведення атаки на функцiю стиснення геш-функцiї «Купина» до атаки на EFX-конструкцiю. Отримано оцiнки квантового часу атаки: 5, 6 раундiв функцiї стиснення та довжини входу = 512 бiт – (2344); 8 раундiв функцiї стиснення та довжини входу = 1024 бiт – (2686). Також оцiнено загальну схемну складнiсть атаки на конструкцiю CF + Trunc геш-функцiї «Купина» за допомогою алгоритму Гровера. Ця конструкцiя включає в себе функцiю стиснення та завершальну функцiю. Вiдповiдно до метрики NIST оцiнено застосовнiсть алгоритму Гровера до конструкцiї CF + Trunc та отримано наступнi значення схемної складностi: версiї геш-функцiї «Купина»- для 8 256 iз довжиною входу = 512 бiт вразливi до атаки за допомогою алгоритму Гровера, схемна складнiсть атаки складає (2313.73); стiйкiсть версiй геш-функцiї «Купина»- для 256 < 512 iз довжиною входу = 1024 поки залишається вiдкритим питанням вiдповiдно до порогових констант , схемна складнiсть атаки складає (2572.86).The paper examines the peculiarities of the operation and internal structure of the «Kupyna» hash function. The structure of the Grover, Simon, and Grover-meets-Simon algorithms is analyzed. Based on the analysis of the structure of the «Kupyna» hash function, it has been determined that the compression function can be represented as a sequence of Even-Mansour schemes with corresponding keys and permutations. This representation allowed for an attack on the compression function using the Grover-meets-Simon algorithm. Estimates of the quantum time for the attack have been obtained: approximately (2173) for 5, 6 rounds of the compression function and an input length = 512 bits, and approximately (2173.24) for 8 rounds of the compression function and an input length = 1024, it is approximately (2344.33). Furthermore, the reduction of the attack on the compression function of the «Kupyna» hash function to an attack on the EFX construction has been investigated. Estimates of the quantum time for the attack have been obtained: approximately (2344) for 5, 6 rounds of the compression function and an input length = 512 bits, and approximately (2686) for 8 rounds of the compression function and an input length = 1024 bits. The overall gate complexity of the attack on the CF + Trunc construction of the «Kupyna» hash function using the Grover algorithm has also been evaluated. This construction includes the compression function and the finalization function. According to the NIST metric, the applicability of the Grover algorithm to the CF + Trunc construction has been assessed, and the following gate complexity values have been obtained: versions of the «Kupyna»- hash function with 8 256 and an input length = 512 bits are vulnerable to attacks using the Grover algorithm, with a gate complexity of approximately (2313.73); the security of versions of the «Kupyna»- hash function with 256 < 512 and an input length = 1024 bits remains an open question according to the threshold constants , with a gate complexity of approximately (2572.86)

Квантовий криптоаналiз геш-функцiї «Купина»

Об’єктом дослiдження є iнформацiйнi процеси в системах криптографiчного захисту iнформацiї. Предметом дослiдження є складнiсть застосування алгоритму Гровера до геш-функцiї «Купина» у квантовiй моделi обчислень. Метою роботи є побудова атаки з використанням алгоритму квантового пошуку (алгоритму Гровера) на криптографiчну геш-функцiю «Купина» у квантовiй моделi обчислень.The object of research is information processes in systems of cryptographic protection of information. The subject of the research is the complexity of applying Grover’s algorithm to the hash function «Kupyna» in the quantum model of calculations

Cryptanalysis of Block Ciphers with New Design Strategies

Block ciphers are among the mostly widely used symmetric-key cryptographic primitives, which are fundamental building blocks in cryptographic/security systems. Most of the public-key primitives are based on hard mathematical problems such as the integer factorization in the RSA algorithm and discrete logarithm problem in the DiffieHellman. Therefore, their security are mathematically proven. In contrast, symmetric-key primitives are usually not constructed based on well-defined hard mathematical problems. Hence, in order to get some assurance in their claimed security properties, they must be studied against different types of cryptanalytic techniques. Our research is dedicated to the cryptanalysis of block ciphers. In particular, throughout this thesis, we investigate the security of some block ciphers constructed with new design strategies. These new strategies include (i) employing simple round function, and modest key schedule, (ii) using another input called tweak rather than the usual two inputs of the block ciphers, the plaintext and the key, to instantiate different permutations for the same key. This type of block ciphers is called a tweakable block cipher, (iii) employing linear and non-linear components that are energy efficient to provide low energy consumption block ciphers, (iv) employing optimal diffusion linear transformation layer while following the AES-based construction to provide faster diffusion rate, and (v) using rather weak but larger S-boxes in addition to simple linear transformation layers to provide provable security of ARX-based block ciphers against single characteristic differential and linear cryptanalysis. The results presented in this thesis can be summarized as follows: Initially, we analyze the security of two lightweight block ciphers, namely, Khudra and Piccolo against Meet-in-the-Middle (MitM) attack based on the Demirci and Selcuk approach exploiting the simple design of the key schedule and round function. Next, we investigate the security of two tweakable block ciphers, namely, Kiasu-BC and SKINNY. According to the designers, the best attack on Kiasu-BC covers 7 rounds. However, we exploited the tweak to present 8-round attack using MitM with efficient enumeration cryptanalysis. Then, we improve the previous results of the impossible differential cryptanalysis on SKINNY exploiting the tweakey schedule and linear transformation layer. Afterwards, we study the security of new low energy consumption block cipher, namely, Midori128 where we present the longest impossible differential distinguishers that cover complete 7 rounds. Then, we utilized 4 of these distinguishers to launch key recovery attack against 11 rounds of Midori128 to improve the previous results on this cipher using the impossible differential cryptanalysis. Then, using the truncated differential cryptanalysis, we are able to attack 13 rounds of Midori128 utilizing a 10-round differential distinguisher. We also analyze Kuznyechik, the standard Russian federation block cipher, against MitM with efficient enumeration cryptanalysis where we improve the previous results on Kuznyechik, using MitM attack with efficient enumeration, by presenting 6-round attack. Unlike the previous attack, our attack exploits the exact values of the coefficients of the MDS transformation that is used in the cipher. Finally, we present key recovery attacks using the multidimensional zero-correlation cryptanalysis against SPARX-128, which follows the long trail design strategy, to provide provable security of ARX-based block ciphers against single characteristic differential and linear cryptanalysis

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms

In this thesis, I present the research I did with my co-authors on several aspects of symmetric cryptography from May 2013 to December 2016, that is, when I was a PhD student at the university of Luxembourg under the supervision of Alex Biryukov. My research has spanned three different areas of symmetric cryptography. In Part I of this thesis, I present my work on lightweight cryptography. This field of study investigates the cryptographic algorithms that are suitable for very constrained devices with little computing power such as RFID tags and small embedded processors such as those used in sensor networks. Many such algorithms have been proposed recently, as evidenced by the survey I co-authored on this topic. I present this survey along with attacks against three of those algorithms, namely GLUON, PRINCE and TWINE. I also introduce a new lightweight block cipher called SPARX which was designed using a new method to justify its security: the Long Trail Strategy. Part II is devoted to S-Box reverse-engineering, a field of study investigating the methods recovering the hidden structure or the design criteria used to build an S-Box. I co-invented several such methods: a statistical analysis of the differential and linear properties which was applied successfully to the S-Box of the NSA block cipher Skipjack, a structural attack against Feistel networks called the yoyo game and the TU-decomposition. This last technique allowed us to decompose the S-Box of the last Russian standard block cipher and hash function as well as the only known solution to the APN problem, a long-standing open question in mathematics. Finally, Part III presents a unifying view of several fields of symmetric cryptography by interpreting them as purposefully hard. Indeed, several cryptographic algorithms are designed so as to maximize the code size, RAM consumption or time taken by their implementations. By providing a unique framework describing all such design goals, we could design modes of operations for building any symmetric primitive with any form of hardness by combining secure cryptographic building blocks with simple functions with the desired form of hardness called plugs. Alex Biryukov and I also showed that it is possible to build plugs with an asymmetric hardness whereby the knowledge of a secret key allows the privileged user to bypass the hardness of the primitive