Small-Box Cryptography

One of the ultimate goals of symmetric-key cryptography is to find a rigorous theoretical framework for building block ciphers from small components, such as cryptographic S-boxes, and then argue why iterating such small components for sufficiently many rounds would yield a secure construction. Unfortunately, a fundamental obstacle towards reaching this goal comes from the fact that traditional security proofs cannot get security beyond 2^{-n}, where n is the size of the corresponding component. As a result, prior provably secure approaches - which we call "big-box cryptography" - always made n larger than the security parameter, which led to several problems: (a) the design was too coarse to really explain practical constructions, as (arguably) the most interesting design choices happening when instantiating such "big-boxes" were completely abstracted out; (b) the theoretically predicted number of rounds for the security of this approach was always dramatically smaller than in reality, where the "big-box" building block could not be made as ideal as required by the proof. For example, Even-Mansour (and, more generally, key-alternating) ciphers completely ignored the substitution-permutation network (SPN) paradigm which is at the heart of most real-world implementations of such ciphers. In this work, we introduce a novel paradigm for justifying the security of existing block ciphers, which we call small-box cryptography. Unlike the "big-box" paradigm, it allows one to go much deeper inside the existing block cipher constructions, by only idealizing a small (and, hence, realistic!) building block of very small size n, such as an 8-to-32-bit S-box. It then introduces a clean and rigorous mixture of proofs and hardness conjectures which allow one to lift traditional, and seemingly meaningless, "at most 2^{-n}" security proofs for reduced-round idealized variants of the existing block ciphers, into meaningful, full-round security justifications of the actual ciphers used in the real world. We then apply our framework to the analysis of SPN ciphers (e.g, generalizations of AES), getting quite reasonable and plausible concrete hardness estimates for the resulting ciphers. We also apply our framework to the design of stream ciphers. Here, however, we focus on the simplicity of the resulting construction, for which we managed to find a direct "big-box"-style security justification, under a well studied and widely believed eXact Linear Parity with Noise (XLPN) assumption. Overall, we hope that our work will initiate many follow-up results in the area of small-box cryptography

Improving the Performance of the SYND Stream Cipher

International audience. In 2007, Gaborit et al. proposed the stream cipher SYND as an improvement of the pseudo random number generator due to Fischer and Stern. This work shows how to improve considerably the e ciency the SYND cipher without using the so-called regular encoding and without compromising the security of the modi ed SYND stream cipher. Our proposal, called XSYND, uses a generic state transformation which is reducible to the Regular Syndrome Decoding problem (RSD), but has better computational characteristics than the regular encoding. A rst implementation shows that XSYND runs much faster than SYND for a comparative security level (being more than three times faster for a security level of 128 bits, and more than 6 times faster for 400-bit security), though it is still only half as fast as AES in counter mode. Parallel computation may yet improve the speed of our proposal, and we leave it as future research to improve the e ciency of our implementation

Guaranteeing the diversity of number generators

A major problem in using iterative number generators of the form x_i=f(x_{i-1}) is that they can enter unexpectedly short cycles. This is hard to analyze when the generator is designed, hard to detect in real time when the generator is used, and can have devastating cryptanalytic implications. In this paper we define a measure of security, called_sequence_diversity_, which generalizes the notion of cycle-length for non-iterative generators. We then introduce the class of counter assisted generators, and show how to turn any iterative generator (even a bad one designed or seeded by an adversary) into a counter assisted generator with a provably high diversity, without reducing the quality of generators which are already cryptographically strong.Comment: Small update

Searchable Symmetric Encryption and its applications

In the age of personalized advertisement and online identity profiles, people’s personal information is worth more to corporations than ever. Storing data in the cloud is increasing in popularity due to bigger file sizes and people just storing more information digitally. The leading cloud storage providers require insight into what users store on their servers. This forces users to trust their cloud storage provider not to misuse their information. This opens the possibility that private information is sold to hackers or is made publicly available on the internet. However, the more realistic case is that the service provider sells or misuses your metadata for use in personalized advertisements or other, less apparent purposes. This thesis will explore Searchable Sym- metric Encryption (SSE) algorithms and how we can utilize them to make a more secure cloud storage serviceMasteroppgave i informatikkINF399MAMN-PROGMAMN-IN

D.STVL.9 - Ongoing Research Areas in Symmetric Cryptography

This report gives a brief summary of some of the research trends in symmetric cryptography at the time of writing (2008). The following aspects of symmetric cryptography are investigated in this report: • the status of work with regards to different types of symmetric algorithms, including block ciphers, stream ciphers, hash functions and MAC algorithms (Section 1); • the algebraic attacks on symmetric primitives (Section 2); • the design criteria for symmetric ciphers (Section 3); • the provable properties of symmetric primitives (Section 4); • the major industrial needs in the area of symmetric cryptography (Section 5)

Cryptanalysis of Dedicated Cryptographic Hash Functions

In this thesis we study the security of a number of dedicated cryptographic hash functions against cryptanalytic attacks. We begin with an introduction to what cryptographic hash functions are and what they are used for. This is followed by strict definitions of the security properties often required from cryptographic hash functions. FSB hashes are a class of hash functions derived from a coding theory problem. We attack FSB by modeling the compression function of the hash by a matrix in GF(2). We show that collisions and preimages can easily be found in FSB with the proposed security parameters. We describe a meet-in-the-middle attack against the FORK-256 hash function. The attack requires 2^112.8 operations to find a collision, which is a 38000-fold improvement over the expected 2^128 operations. We then present a method for finding slid pairs for the compression function of SHA-1; pairs of inputs and messages that produce closely related outputs in the compression function. We also cryptanalyse two block ciphers based on the compression function of MD5, MDC-MD5 and the Kaliski-Robshaw "Crab" encryption algorithm. VSH is a hash function based on problems in number theory that are believed to be hard. The original proposal only claims collision resistance; we demonstrate that VSH does not meet the other hash function requirements of preimage resistance, one-wayness, and collision resistance of truncated variants. To explore more general cryptanalytic attacks, we discuss the d-Monomial test, a statistical test that has been found to be effective in distinguishing iterated Boolean circuits from real random functions. The test is applied to the SHA and MD5 hash functions. We present a new hash function proposal, LASH, and its initial cryptanalysis.The LASH design is based on a simple underlying primitive, and some of its security can be shown to be related to lattice problems

MV3: A new word based stream cipher using rapid mixing and revolving buffers

MV3 is a new word based stream cipher for encrypting long streams of data. A direct adaptation of a byte based cipher such as RC4 into a 32- or 64-bit word version will obviously need vast amounts of memory. This scaling issue necessitates a look for new components and principles, as well as mathematical analysis to justify their use. Our approach, like RC4's, is based on rapidly mixing random walks on directed graphs (that is, walks which reach a random state quickly, from any starting point). We begin with some well understood walks, and then introduce nonlinearity in their steps in order to improve security and show long term statistical correlations are negligible. To minimize the short term correlations, as well as to deter attacks using equations involving successive outputs, we provide a method for sequencing the outputs derived from the walk using three revolving buffers. The cipher is fast -- it runs at a speed of less than 5 cycles per byte on a Pentium IV processor. A word based cipher needs to output more bits per step, which exposes more correlations for attacks. Moreover we seek simplicity of construction and transparent analysis. To meet these requirements, we use a larger state and claim security corresponding to only a fraction of it. Our design is for an adequately secure word-based cipher; our very preliminary estimate puts the security close to exhaustive search for keys of size < 256 bits.Comment: 27 pages, shortened version will appear in "Topics in Cryptology - CT-RSA 2007

Decorrelation: A Theory for Block Cipher Security

Pseudorandomness is a classical model for the security of block ciphers. In this paper we propose convenient tools in order to study it in connection with the Shannon Theory, the Carter-Wegman universal hash functions paradigm, and the Luby-Rackoff approach. This enables the construction of new ciphers with security proofs under specific models. We show how to ensure security against basic differential and linear cryptanalysis and even more general attacks. We propose practical construction scheme

Scalable symmetric block ciphers based on group bases

Neben der Sicherheit und Effizienz werden Skalierbarkeit und Einstellbarkeit als besonders wichtige Eigenschaften einer Blockchiffre betrachtet. Einer der möglichen Ansätze zur Konstruktion von skalierbaren und einstellbaren Blockchiffren basiert auf Gruppenbasen. Dieser Ansatz ist aus mathematischer Sicht sehr direkt und einfach, und die resultierende Chiffren besitzen mehrere wünschenswerten Eigenschaften, wie z.B. eine skalierbare Block- und Schlüssellänge und einen extrem großen Schlüsselraum. In dieser Arbeit werden einige bisher unbeantwortete Fragen bezüglich Sicherheit, Effizienz und Implementierungstauglichkeit dieser Kryptosysteme - insbesondere des neuesten Repräsentanten TST - untersucht und zwei neue verbesserte Chiffren-Designs präsentiert. Im ersten Teil der Arbeit wird das Kryptosystem TST analysiert. Dabei werden zwei möglichen Permutationsdarstellungen verglichen, eine effiziente Implementierung der Schlüsselgenerierung diskutiert, und die wichtigsten Charakteristiken wie Durchsatz, Speicherbedarf und Initialisierungsverzögerung gemessen. Außerdem wird eine Sicherheitsanalyse durchgeführt, bei der die statistischen Eigenschaften des Kryptosystems untersucht werden und ein kryptographischer Angriff konstruiert wird. Die Ergebnisse dieser Analyse zeigen, dass die Effizienz und Sicherheit von TST nicht zufriedenstellend sind. Eine mögliche Lösung dieser bei TST auftretenden Probleme wird in dem zweiten Teil der Arbeit präsentiert. Mit Hilfe erweiterter Gruppenbasen kann die Diffusion von TST deutlich verbessert werden, was durch statistische Tests belegt wird. Aufgrund den besseren Diffusionseigenschaften kann auch eine einfachere Trägergruppe eingesetzt werden, mit der der Speicherbedarf reduziert und der Durchsatz erhöht werden kann. In dem letzten Teil der Arbeit wird eine iterative Version von TST vorgestellt. Der elementare Baustein dieses Designs entspricht einem Faktorisierungsschritt in einer Gruppenbasis, statt einer echten Faktorisierung wird jedoch eine konstante Funktion mehrmals iterativ angewandt. Die wesentlichen Vorteile dieses Ansatzes gegenüber TST sind ein deutlich reduzierter Speicherbedarf, erhöhter Durchsatz und verbesserte Flexibilität. Die Block- und Schlüssellänge sind, genau wie bei TST, frei wählbar. Zusätzlich ermöglicht das neue Kryptosystem eine freie Einstellung der Sicherheit, der Geschwindigkeit und des Speicherbedarfs. Mit der entsprechenden Anzahl von Runden bietet die neue Chiffre eine hervorragende Sicherheit, was sowohl unsere Kryptanalyse, als auch die statistischen Tests bestätigt haben