13 research outputs found
SoK: Security Evaluation of SBox-Based Block Ciphers
Cryptanalysis of block ciphers is an active and important research area with an extensive volume of literature. For this work, we focus on SBox-based ciphers, as they are widely used and cover a large class of block ciphers. While there have been prior works that have consolidated attacks on block ciphers, they usually focus on describing and listing the attacks. Moreover, the methods for evaluating a cipher\u27s security are often ad hoc, differing from cipher to cipher, as attacks and evaluation techniques are developed along the way. As such, we aim to organise the attack literature, as well as the work on security evaluation.
In this work, we present a systematization of cryptanalysis of SBox-based block ciphers focusing on three main areas: (1) Evaluation of block ciphers against standard cryptanalytic attacks; (2) Organisation and relationships between various attacks; (3) Comparison of the evaluation and attacks on existing ciphers
Techniques améliorées pour la cryptanalyse des primitives symétriques
This thesis proposes improvements which can be applied to several techniques for the cryptanalysis of symmetric primitives. Special attention is given to linear cryptanalysis, for which a technique based on the fast Walsh transform was already known (Collard et al., ICISIC 2007). We introduce a generalised version of this attack, which allows us to apply it on key recovery attacks over multiple rounds, as well as to reduce the complexity of the problem using information extracted, for example, from the key schedule. We also propose a general technique for speeding key recovery attacks up which is based on the representation of Sboxes as binary decision trees. Finally, we showcase the construction of a linear approximation of the full version of the Gimli permutation using mixed-integer linear programming (MILP) optimisation.Dans cette thèse, on propose des améliorations qui peuvent être appliquées à plusieurs techniques de cryptanalyse de primitives symétriques. On dédie une attention spéciale à la cryptanalyse linéaire, pour laquelle une technique basée sur la transformée de Walsh rapide était déjà connue (Collard et al., ICISC 2007). On introduit une version généralisée de cette attaque, qui permet de l'appliquer pour la récupération de clé considerant plusieurs tours, ainsi que le réduction de la complexité du problème en utilisant par example des informations provénantes du key-schedule. On propose aussi une technique générale pour accélérer les attaques par récupération de clé qui est basée sur la représentation des boîtes S en tant que arbres binaires. Finalement, on montre comment on a obtenu une approximation linéaire sur la version complète de la permutation Gimli en utilisant l'optimisation par mixed-integer linear programming (MILP)
A Salad of Block Ciphers
This book is a survey on the state of the art in block cipher design and analysis.
It is work in progress, and it has been for the good part of the last three years -- sadly, for various reasons no significant change has been made during the last twelve months.
However, it is also in a self-contained, useable, and relatively polished state, and for this reason
I have decided to release this \textit{snapshot} onto the public as a service to the cryptographic community, both in order to obtain feedback, and also as a means to give something back to the community from which I have learned much.
At some point I will produce a final version -- whatever being a ``final version\u27\u27 means in the constantly evolving field of block cipher design -- and I will publish it. In the meantime I hope the material contained here will be useful to other people
Finding the Impossible: Automated Search for Full Impossible-Differential, Zero-Correlation, and Integral Attacks
Impossible differential (ID), zero-correlation (ZC), and integral attacks are a family of important attacks on block ciphers. For example, the impossible differential attack was the first cryptanalytic attack on 7 rounds of AES. Evaluating the security of block ciphers against these attacks is very important but also challenging: Finding these attacks usually implies a combinatorial optimization problem involving many parameters and constraints that is very hard to solve using manual approaches. Automated solvers, such as Constraint Programming (CP) solvers, can help the cryptanalyst to find suitable attacks. However, previous CP-based methods focus on finding only the ID, ZC, and integral distinguishers, often only in a limited search space. Notably, none can be extended to a unified optimization problem for finding full attacks, including efficient key-recovery steps.
In this paper, we present a new CP-based method to search for ID, ZC, and integral distinguishers and extend it to a unified constraint optimization problem for finding full ID, ZC, and integral attacks. To show the effectiveness and usefulness of our method, we applied it to several block ciphers, including SKINNY, CRAFT, SKINNYe-v2, and SKINNYee. For the ISO standard block cipher SKINNY, we significantly improve all existing ID, ZC, and integral attacks. In particular, we improve the integral attacks on SKINNY-- and SKINNY-- by 3 and 2 rounds, respectively, obtaining the best cryptanalytic results on these variants in the single-key setting. We improve the ZC attack on SKINNY-- (SKINNY--) by 2 (resp. 1) rounds. We also improve the ID attacks on all variants of SKINNY. Particularly, we improve the time complexity of the best previous single-tweakey (related-tweakey) ID attack on SKINNY-- (resp. SKINNY--) by a factor of (resp. ). On CRAFT, we propose a 21-round (20-round) ID (resp. ZC) attack, which improves the best previous single-tweakey attack by 2 (resp. 1) rounds. Using our new model, we also provide several practical integral distinguishers for reduced-round SKINNY, CRAFT, and Deoxys-BC. Our method is generic and applicable to other strongly aligned block ciphers
Analysis and Design of Symmetric Cryptographic Algorithms
This doctoral thesis is dedicated to the analysis and the design of
symmetric cryptographic algorithms.
In the first part of the dissertation, we deal with fault-based attacks
on cryptographic circuits which belong to the field of active implementation
attacks and aim to retrieve secret keys stored on such chips. Our main focus
lies on the cryptanalytic aspects of those attacks. In particular, we target
block ciphers with a lightweight and (often) non-bijective key schedule where
the derived subkeys are (almost) independent from each other. An attacker who is
able to reconstruct one of the subkeys is thus not necessarily able to directly
retrieve other subkeys or even the secret master key by simply reversing the key
schedule. We introduce a framework based on differential fault analysis that
allows to attack block ciphers with an arbitrary number of independent subkeys
and which rely on a substitution-permutation network. These methods are then
applied to the lightweight block ciphers LED and PRINCE and we show in both
cases how to recover the secret master key requiring only a small number of
fault injections. Moreover, we investigate approaches that utilize algebraic
instead of differential techniques for the fault analysis and discuss advantages
and drawbacks. At the end of the first part of the dissertation, we explore
fault-based attacks on the block cipher Bel-T which also has a lightweight key
schedule but is not based on a substitution-permutation network but instead on
the so-called Lai-Massey scheme. The framework mentioned above is thus not
usable against Bel-T. Nevertheless, we also present techniques for the case of
Bel-T that enable full recovery of the secret key in a very efficient way using
differential fault analysis.
In the second part of the thesis, we focus on authenticated encryption
schemes. While regular ciphers only protect privacy of processed data,
authenticated encryption schemes also secure its authenticity and integrity.
Many of these ciphers are additionally able to protect authenticity and
integrity of so-called associated data. This type of data is transmitted
unencrypted but nevertheless must be protected from being tampered with during
transmission. Authenticated encryption is nowadays the standard technique to
protect in-transit data. However, most of the currently deployed schemes have
deficits and there are many leverage points for improvements. With NORX we
introduce a novel authenticated encryption scheme supporting associated data.
This algorithm was designed with high security, efficiency in both hardware and
software, simplicity, and robustness against side-channel attacks in mind. Next
to its specification, we present special features, security goals,
implementation details, extensive performance measurements and discuss
advantages over currently deployed standards. Finally, we describe our
preliminary security analysis where we investigate differential and rotational
properties of NORX. Noteworthy are in particular the newly developed
techniques for differential cryptanalysis of NORX which exploit the power of
SAT- and SMT-solvers and have the potential to be easily adaptable to other
encryption schemes as well.Diese Doktorarbeit beschäftigt sich mit der Analyse und dem Entwurf von
symmetrischen kryptographischen Algorithmen.
Im ersten Teil der Dissertation befassen wir uns mit fehlerbasierten Angriffen
auf kryptographische Schaltungen, welche dem Gebiet der aktiven
Seitenkanalangriffe zugeordnet werden und auf die Rekonstruktion geheimer
Schlüssel abzielen, die auf diesen Chips gespeichert sind. Unser Hauptaugenmerk
liegt dabei auf den kryptoanalytischen Aspekten dieser Angriffe. Insbesondere
beschäftigen wir uns dabei mit Blockchiffren, die leichtgewichtige und eine
(oft) nicht-bijektive Schlüsselexpansion besitzen, bei denen die erzeugten
Teilschlüssel voneinander (nahezu) unabhängig sind. Ein Angreifer, dem es
gelingt einen Teilschlüssel zu rekonstruieren, ist dadurch nicht in der Lage
direkt weitere Teilschlüssel oder sogar den Hauptschlüssel abzuleiten indem er
einfach die Schlüsselexpansion umkehrt. Wir stellen Techniken basierend auf
differenzieller Fehleranalyse vor, die es ermöglichen Blockchiffren zu
analysieren, welche eine beliebige Anzahl unabhängiger Teilschlüssel einsetzen
und auf Substitutions-Permutations Netzwerken basieren. Diese Methoden werden im
Anschluss auf die leichtgewichtigen Blockchiffren LED und PRINCE angewandt und
wir zeigen in beiden Fällen wie der komplette geheime Schlüssel mit einigen
wenigen Fehlerinjektionen rekonstruiert werden kann. Darüber hinaus untersuchen
wir Methoden, die algebraische statt differenzielle Techniken der Fehleranalyse
einsetzen und diskutieren deren Vor- und Nachteile. Am Ende des ersten Teils der
Dissertation befassen wir uns mit fehlerbasierten Angriffen auf die Blockchiffre
Bel-T, welche ebenfalls eine leichtgewichtige Schlüsselexpansion besitzt jedoch
nicht auf einem Substitutions-Permutations Netzwerk sondern auf dem sogenannten
Lai-Massey Schema basiert. Die oben genannten Techniken können daher bei Bel-T
nicht angewandt werden. Nichtsdestotrotz werden wir auch für den Fall von Bel-T
Verfahren vorstellen, die in der Lage sind den vollständigen geheimen Schlüssel
sehr effizient mit Hilfe von differenzieller Fehleranalyse zu rekonstruieren.
Im zweiten Teil der Doktorarbeit beschäftigen wir uns mit authentifizierenden
Verschlüsselungsverfahren. Während gewöhnliche Chiffren nur die Vertraulichkeit
der verarbeiteten Daten sicherstellen, gewährleisten authentifizierende
Verschlüsselungsverfahren auch deren Authentizität und Integrität. Viele dieser
Chiffren sind darüber hinaus in der Lage auch die Authentizität und Integrität
von sogenannten assoziierten Daten zu gewährleisten. Daten dieses Typs werden in
nicht-verschlüsselter Form übertragen, müssen aber dennoch gegen unbefugte
Veränderungen auf dem Transportweg geschützt sein. Authentifizierende
Verschlüsselungsverfahren bilden heutzutage die Standardtechnologie um Daten
während der Übertragung zu beschützen. Aktuell eingesetzte Verfahren weisen
jedoch oftmals Defizite auf und es existieren vielfältige Ansatzpunkte für
Verbesserungen. Mit NORX stellen wir ein neuartiges authentifizierendes
Verschlüsselungsverfahren vor, welches assoziierte Daten unterstützt. Dieser
Algorithmus wurde vor allem im Hinblick auf Einsatzgebiete mit hohen
Sicherheitsanforderungen, Effizienz in Hardware und Software, Einfachheit, und
Robustheit gegenüber Seitenkanalangriffen entwickelt. Neben der Spezifikation
präsentieren wir besondere Eigenschaften, angestrebte Sicherheitsziele, Details
zur Implementierung, umfassende Performanz-Messungen und diskutieren Vorteile
gegenüber aktuellen Standards. Schließlich stellen wir Ergebnisse unserer
vorläufigen Sicherheitsanalyse vor, bei der wir uns vor allem auf differenzielle
Merkmale und Rotationseigenschaften von NORX konzentrieren. Erwähnenswert sind
dabei vor allem die für die differenzielle Kryptoanalyse von NORX entwickelten
Techniken, die auf die Effizienz von SAT- und SMT-Solvern zurückgreifen und das
Potential besitzen relativ einfach auch auf andere Verschlüsselungsverfahren
übertragen werden zu können