Ten years of cube attacks

In 2009, Dinur and Shamir proposed the cube attack, an algebraic cryptanalysis technique that only requires black box access to a target cipher. Since then, this attack has received both many criticisms and endorsements from crypto community; this work aims at revising and collecting the many attacks that have been proposed starting from it. We categorise all of these attacks in five classes; for each class, we provide a brief summary description along with the state-of-the-art references and the most recent cryptanalysis results. Furthermore, we extend and refine the new notation we proposed in 2021 and we use it to provide a consistent definition for each attack family. Finally, in the appendix, we provide an in-depth description of the kite attack framework, a cipher independent tool we firstly proposed in 2018 that implements the kite attack on GPUs. To prove its effectiveness, we use Mickey2.0 as a use case, showing how to embed it in the framework

Key-dependent side-channel cube attack on CRAFT

CRAFT is a tweakable block cipher introduced in 2019 that aims to provide strong protection against differential fault analysis. In this paper, we show that CRAFT is vulnerable to side-channel cube attacks. We apply side-channel cube attacks to CRAFT with the Hamming weight leakage assumption. We found that the first half of the secret key can be recovered from the Hamming weight leakage after the first round. Next, using the recovered key bits, we continue our attack to recover the second half of the secret key. We show that the set of equations that are solvable varies depending on the value of the key bits. Our result shows that 99.90% of the key space can be fully recovered within a practical time

Electromagnetic Side-Channel Resilience against Lightweight Cryptography

Side-channel attacks are an unpredictable risk factor in cryptography. Therefore, observations of leakages through physical parameters, i.e., power and electromagnetic (EM) radiation, etc., of digital devices are essential to minimise vulnerabilities associated with cryptographic functions. Compared to costs in the past, performing side-channel attacks using inexpensive test equipment is becoming a reality. Internet-of-Things (IoT) devices are resource-constrained, and lightweight cryptography is a novel approach in progress towards IoT security. Thus, it would provide sufficient data and privacy protection in such a constrained ecosystem. Therefore, cryptanalysis of physical leakages regarding these emerging ciphers is crucial. EM side-channel attacks seem to cause a significant impact on digital forensics nowadays. Within existing literature, power analysis seems to have considerable attention in research whereas other phenomena, such as EM, should continue to be appropriately evaluated in playing a role in forensic analysis.The emphasis of this thesis is on lightweight cryptanalysis. The preliminary investigations showed no Correlation EManalysis (CEMA) of PRESENT lightweight algorithm. The PRESENT is a block cipher that promises to be adequate for IoT devices, and is expected to be used commercially in the future. In an effort to fill in this research gap, this work examines the capabilities of a correlation EM side-channel attack against the PRESENT. For that, Substitution box (S-box) of the PRESENT was targeted for its 1st round with the use of a minimum number of EM waveforms compared to other work in literature, which was 256. The attack indicates the possibility of retrieving 8 bytes of the secret key out of 10 bytes. The experimental process started from a Simple EMA (SEMA) and gradually enhanced up to a CEMA. The thesis presents the methodology of the attack modelling and the observations followed by a critical analysis. Also, a technical review of the IoT technology and a comprehensive literature review on lightweight cryptology are included

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Contributions to Confidentiality and Integrity Algorithms for 5G

The confidentiality and integrity algorithms in cellular networks protect the transmission of user and signaling data over the air between users and the network, e.g., the base stations. There are three standardised cryptographic suites for confidentiality and integrity protection in 4G, which are based on the AES, SNOW 3G, and ZUC primitives, respectively. These primitives are used for providing a 128-bit security level and are usually implemented in hardware, e.g., using IP (intellectual property) cores, thus can be quite efficient. When we come to 5G, the innovative network architecture and high-performance demands pose new challenges to security. For the confidentiality and integrity protection, there are some new requirements on the underlying cryptographic algorithms. Specifically, these algorithms should: 1) provide 256 bits of security to protect against attackers equipped with quantum computing capabilities; and 2) provide at least 20 Gbps (Gigabits per second) speed in pure software environments, which is the downlink peak data rate in 5G. The reason for considering software environments is that the encryption in 5G will likely be moved to the cloud and implemented in software. Therefore, it is crucial to investigate existing algorithms in 4G, checking if they can satisfy the 5G requirements in terms of security and speed, and possibly propose new dedicated algorithms targeting these goals. This is the motivation of this thesis, which focuses on the confidentiality and integrity algorithms for 5G. The results can be summarised as follows.1. We investigate the security of SNOW 3G under 256-bit keys and propose two linear attacks against it with complexities 2172 and 2177, respectively. These cryptanalysis results indicate that SNOW 3G cannot provide the full 256-bit security level. 2. We design some spectral tools for linear cryptanalysis and apply these tools to investigate the security of ZUC-256, the 256-bit version of ZUC. We propose a distinguishing attack against ZUC-256 with complexity 2236, which is 220 faster than exhaustive key search. 3. We design a new stream cipher called SNOW-V in response to the new requirements for 5G confidentiality and integrity protection, in terms of security and speed. SNOW-V can provide a 256-bit security level and achieve a speed as high as 58 Gbps in software based on our extensive evaluation. The cipher is currently under evaluation in ETSI SAGE (Security Algorithms Group of Experts) as a promising candidate for 5G confidentiality and integrity algorithms. 4. We perform deeper cryptanalysis of SNOW-V to ensure that two common cryptanalysis techniques, guess-and-determine attacks and linear cryptanalysis, do not apply to SNOW-V faster than exhaustive key search. 5. We introduce two minor modifications in SNOW-V and propose an extreme performance variant, called SNOW-Vi, in response to the feedback about SNOW-V that some use cases are not fully covered. SNOW-Vi covers more use cases, especially some platforms with less capabilities. The speeds in software are increased by 50% in average over SNOW-V and can be up to 92 Gbps.Besides these works on 5G confidentiality and integrity algorithms, the thesis is also devoted to local pseudorandom generators (PRGs). 6. We investigate the security of local PRGs and propose two attacks against some constructions instantiated on the P5 predicate. The attacks improve existing results with a large gap and narrow down the secure parameter regime. We also extend the attacks to other local PRGs instantiated on general XOR-AND and XOR-MAJ predicates and provide some insight in the choice of safe parameters

Algorithmes quantiques pour la cryptanalyse et cryptographie symétrique post-quantique

Modern cryptography relies on the notion of computational security. The level of security given by a cryptosystem is expressed as an amount of computational resources required to break it. The goal of cryptanalysis is to find attacks, that is, algorithms with lower complexities than the conjectural bounds.With the advent of quantum computing devices, these levels of security have to be updated to take a whole new notion of algorithms into account. At the same time, cryptography is becoming widely used in small devices (smart cards, sensors), with new cost constraints.In this thesis, we study the security of secret-key cryptosystems against quantum adversaries.We first build new quantum algorithms for k-list (k-XOR or k-SUM) problems, by composing exhaustive search procedures. Next, we present dedicated cryptanalysis results, starting with a new quantum cryptanalysis tool, the offline Simon's algorithm. We describe new attacks against the lightweight algorithms Spook and Gimli and we perform the first quantum security analysis of the standard cipher AES.Finally, we specify Saturnin, a family of lightweight cryptosystems oriented towards post-quantum security. Thanks to a very similar structure, its security relies largely on the analysis of AES.La cryptographie moderne est fondée sur la notion de sécurité computationnelle. Les niveaux de sécurité attendus des cryptosystèmes sont exprimés en nombre d'opérations ; une attaque est un algorithme d'une complexité inférieure à la borne attendue. Mais ces niveaux de sécurité doivent aujourd'hui prendre en compte une nouvelle notion d'algorithme : le paradigme du calcul quantique. Dans le même temps,la délégation grandissante du chiffrement à des puces RFID, objets connectés ou matériels embarqués pose de nouvelles contraintes de coût.Dans cette thèse, nous étudions la sécurité des cryptosystèmes à clé secrète face à un adversaire quantique.Nous introduisons tout d'abord de nouveaux algorithmes quantiques pour les problèmes génériques de k-listes (k-XOR ou k-SUM), construits en composant des procédures de recherche exhaustive.Nous présentons ensuite des résultats de cryptanalyse dédiée, en commençant par un nouvel outil de cryptanalyse quantique, l'algorithme de Simon hors-ligne. Nous décrivons de nouvelles attaques contre les algorithmes Spook et Gimli et nous effectuons la première étude de sécurité quantique du chiffrement AES. Dans un troisième temps, nous spécifions Saturnin, une famille de cryptosystèmes à bas coût orientés vers la sécurité post-quantique. La structure de Saturnin est proche de celle de l'AES et sa sécurité en tire largement parti

Lightweight symmetric cryptography

The Internet of Things is one of the principal trends in information technology nowadays. The main idea behind this concept is that devices communicate autonomously with each other over the Internet. Some of these devices have extremely limited resources, such as power and energy, available time for computations, amount of silicon to produce the chip, computational power, etc. Classical cryptographic primitives are often infeasible for such constrained devices. The goal of lightweight cryptography is to introduce cryptographic solutions with reduced resource consumption, but with a sufficient security level. Although this research area was of great interest to academia during the last years and a large number of proposals for lightweight cryptographic primitives have been introduced, almost none of them are used in real-word. Probably one of the reasons is that, for academia, lightweight usually meant to design cryptographic primitives such that they require minimal resources among all existing solutions. This exciting research problem became an important driver which allowed the academic community to better understand many cryptographic design concepts and to develop new attacks. However, this criterion does not seem to be the most important one for industry, where lightweight may be considered as "rightweight". In other words, a given cryptographic solution just has to fit the constraints of the specific use cases rather than to be the smallest. Unfortunately, academic researchers tended to neglect vital properties of the particular types of devices, into which they intended to apply their primitives. That is, often solutions were proposed where the usage of some resources was reduced to a minimum. However, this was achieved by introducing new costs which were not appropriately taken into account or in such a way that the reduction of costs also led to a decrease in the security level. Hence, there is a clear gap between academia and industry in understanding what lightweight cryptography is. In this work, we are trying to fill some of these gaps. We carefully investigate a broad number of existing lightweight cryptographic primitives proposed by academia including authentication protocols, stream ciphers, and block ciphers and evaluate their applicability for real-world scenarios. We then look at how individual components of design of the primitives influence their cost and summarize the steps to be taken into account when designing primitives for concrete cost optimization, more precisely - for low energy consumption. Next, we propose new implementation techniques for existing designs making them more efficient or smaller in hardware without the necessity to pay any additional costs. After that, we introduce a new stream cipher design philosophy which enables secure stream ciphers with smaller area size than ever before and, at the same time, considerably higher throughput compared to any other encryption schemes of similar hardware cost. To demonstrate the feasibility of our findings we propose two ciphers with the smallest area size so far, namely Sprout and Plantlet, and the most energy efficient encryption scheme called Trivium-2. Finally, this thesis solves a concrete industrial problem. Based on standardized cryptographic solutions, we design an end-to-end data-protection scheme for low power networks. This scheme was deployed on the water distribution network in the City of Antibes, France

cube cryptanalysis of lblock with noisy leakage

In this paper, we present some side channel cube attacks on LBlock, a lightweight block cipher proposed at ACNS 2011. It is shown that in the single bit leakage model, 14 bits of the secret key can be recovered with 2 10.7 time and 27.6 chosen plaintexts, captured the 44th state bit of the third round. In the Hamming weight leakage model, the full 80-bit key can be retrieved with only 210 32-round LBlock encryptions and 211.1 chosen plaintexts, given the leakage of the second least significant bit (LSB) of the Hamming weight after the third round. We also provide a rigorous analysis on the error tolerance probabilities of our attacks and show that the full 80-bit key can be restored in 230 32-round LBlock encryptions with 28.5 chosen plaintexts and at most 5.5% of the noisy leaked bits in the LSB of the Hamming weight after the second round. Many of the ideas in our attacks are applicable to other block ciphers as well. © 2013 Springer-Verlag.In this paper, we present some side channel cube attacks on LBlock, a lightweight block cipher proposed at ACNS 2011. It is shown that in the single bit leakage model, 14 bits of the secret key can be recovered with 2 10.7 time and 27.6 chosen plaintexts, captured the 44th state bit of the third round. In the Hamming weight leakage model, the full 80-bit key can be retrieved with only 210 32-round LBlock encryptions and 211.1 chosen plaintexts, given the leakage of the second least significant bit (LSB) of the Hamming weight after the third round. We also provide a rigorous analysis on the error tolerance probabilities of our attacks and show that the full 80-bit key can be restored in 230 32-round LBlock encryptions with 28.5 chosen plaintexts and at most 5.5% of the noisy leaked bits in the LSB of the Hamming weight after the second round. Many of the ideas in our attacks are applicable to other block ciphers as well. © 2013 Springer-Verlag