    Survey and Benchmark of Block Ciphers for Wireless Sensor Networks

    Cryptographic algorithms play an important role in the security architecture of wireless sensor networks (WSNs). Choosing the most storage- and energy-efficient block cipher is essential, due to the facts that these networks are meant to operate without human intervention for a long period of time with little energy supply, and that available storage is scarce on these sensor nodes. However, to our knowledge, no systematic work has been done in this area so far.We construct an evaluation framework in which we first identify the candidates of block ciphers suitable for WSNs, based on existing literature and authoritative recommendations. For evaluating and assessing these candidates, we not only consider the security properties but also the storage- and energy-efficiency of the candidates. Finally, based on the evaluation results, we select the most suitable ciphers for WSNs, namely Skipjack, MISTY1, and Rijndael, depending on the combination of available memory and required security (energy efficiency being implicit). In terms of operation mode, we recommend Output Feedback Mode for pairwise links but Cipher Block Chaining for group communications

    The (related-key) impossible boomerang attack and its application to the AES block cipher

    The Advanced Encryption Standard (AES) is a 128-bit block cipher with a user key of 128, 192 or 256 bits, released by NIST in 2001 as the next-generation data encryption standard for use in the USA. It was adopted as an ISO international standard in 2005. Impossible differential cryptanalysis and the boomerang attack are powerful variants of differential cryptanalysis for analysing the security of a block cipher. In this paper, building on the notions of impossible differential cryptanalysis and the boomerang attack, we propose a new cryptanalytic technique, which we call the impossible boomerang attack, and then describe an extension of this attack which applies in a related-key attack scenario. Finally, we apply the impossible boomerang attack to break 6-round AES with 128 key bits and 7-round AES with 192/256 key bits, and using two related keys we apply the related-key impossible boomerang attack to break 8-round AES with 192 key bits and 9-round AES with 256 key bits. In the two-key related-key attack scenario, our results, which were the first to achieve this amount of attacked rounds, match the best currently known results for AES with 192/256 key bits in terms of the numbers of attacked rounds. The (related-key) impossible boomerang attack is a general cryptanalytic technique, and can potentially be used to cryptanalyse other block ciphers

    Characterizations of the Degraded Boolean Function and Cryptanalysis of the SAFER Family

    This paper investigates the degradation properties of Boolean functions from the aspects of the distributions of dierences and linear masks, and shows two characterizations of the degraded Boolean function. One is that there exists a linear space of the input dierences, where the dierentials with the zero output dierence have probability 1; Another one is that the input linear masks of the nonzero-correlation linear approximations are included in a linear space. Those two linear spaces are orthogonal spaces. Moreover, the degradation properties are showed about the exponentiation type S-box of the SAFER block ciphers, which are applied to reduce the compute complexity in the zero-correlation linear attacks on 5-round SAFER SK/128, 4(5)-round SAFER+/128(256) and 5(6)-round SAFER++/128(256). In the attacks, some of the linear properties of PHT employed as the linear layer by the SAFER block ciphers are investigated and some zero-correlation approximations for SAFER SK, SAFER+, and SAFER++ are identied, when only the least one or two signicant bits are considered. The results show that more rounds of some of the SAFER block ciphers can be attacked, by considering the degradation properties and the zero-correlation linear relations

    A Salad of Block Ciphers

    This book is a survey on the state of the art in block cipher design and analysis. It is work in progress, and it has been for the good part of the last three years -- sadly, for various reasons no significant change has been made during the last twelve months. However, it is also in a self-contained, useable, and relatively polished state, and for this reason I have decided to release this \textit{snapshot} onto the public as a service to the cryptographic community, both in order to obtain feedback, and also as a means to give something back to the community from which I have learned much. At some point I will produce a final version -- whatever being a ``final version\u27\u27 means in the constantly evolving field of block cipher design -- and I will publish it. In the meantime I hope the material contained here will be useful to other people

    Quantitative security of block ciphers:designs and cryptanalysis tools

    Block ciphers probably figure in the list of the most important cryptographic primitives. Although they are used for many different purposes, their essential goal is to ensure confidentiality. This thesis is concerned by their quantitative security, that is, by measurable attributes that reflect their ability to guarantee this confidentiality. The first part of this thesis deals with well know results. Starting with Shannon's Theory of Secrecy, we move to practical implications for block ciphers, recall the main schemes on which nowadays block ciphers are based, and introduce the Luby-Rackoff security model. We describe distinguishing attacks and key-recovery attacks against block ciphers and show how to turn the firsts into the seconds. As an illustration, we recall linear cryptanalysis which is a classical example of statistical cryptanalysis. In the second part, we consider the (in)security of block ciphers against statistical cryptanalytic attacks and develop some tools to perform optimal attacks and quantify their efficiency. We start with a simple setting in which the adversary has to distinguish between two sources of randomness and show how an optimal strategy can be derived in certain cases. We proceed with the practical situation where the cardinality of the sample space is too large for the optimal strategy to be implemented and show how this naturally leads to the concept of projection-based distinguishers, which reduce the sample space by compressing the samples. Within this setting, we re-consider the particular case of linear distinguishers and generalize them to sets of arbitrary cardinality. We show how these distinguishers between random sources can be turned into distinguishers between random oracles (or block ciphers) and how, in this setting, one can generalize linear cryptanalysis to Abelian groups. As a proof of concept, we show how to break the block cipher TOY100, introduce the block cipher DEAN which encrypts blocks of decimal digits, and apply the theory to the SAFER block cipher family. In the last part of this thesis, we introduce two new constructions. We start by recalling some essential notions about provable security for block ciphers and about Serge Vaudenay's Decorrelation Theory, and introduce new simple modules for which we prove essential properties that we will later use in our designs. We then present the block cipher C and prove that it is immune against a wide range of cryptanalytic attacks. In particular, we compute the exact advantage of the best distinguisher limited to two plaintext/ciphertext samples between C and the perfect cipher and use it to compute the exact value of the maximum expected linear probability (resp. differential probability) of C which is known to be inversely proportional to the number of samples required by the best possible linear (resp. differential) attack. We then introduce KFC a block cipher which builds upon the same foundations as C but for which we can prove results for higher order adversaries. We conclude both discussions about C and KFC by implementation considerations

    Cryptanalytic Attacks on IDEA Block Cipher

    International data encryption algorithm (IDEA) is a secret key or symmetric key block cipher. The purpose of IDEA was to replace data encryption standard (DES) cipher, which became practically insecure due to its small key size of 56 bits and increase in computational power of systems. IDEA cipher mainly to provide data confidentiality in variety of applications such as commercial and financial application e.g. pretty good privacy (PGP) protocol. Till 2015, no successful linear or algebraic weaknesses IDEA of have been reported. In this paper, author explained IDEA cipher, its application in PGP and did a systematic survey of various attacks attempted on IDEA cipher. The best cryptanalysis result which applied to all keys could break IDEA up to 6 rounds out of 8.5 rounds of the full IDEA cipher1. But the attack requires 264 known plaintexts and 2126.8 operations for reduced round version. This attack is practically not feasible due to above mention mammoth data and time requirements. So IDEA cipher is still completely secure for practical usage. PGP v2.0 uses IDEA cipher in place of BassOmatic which was found to be insecure for providing data confidentiality

    Основные принципы проектирования, оценка стойкости и перспективы использования в Украине алгоритма шифрования AES

    Представлені основні принципи проектування алгоритму шифрування AES, оцінка їх обгрунтованості та прозорості. Зроблений огляд найбільш ефективних методів криптоаналізу FIPS-197. Розглянуті проблемні питання безпеки, котрі у перспективі можуть бути використані для реалізації ефективної аналітичної атаки на шифр. Наведені дані про продуктивність програмних і апаратних реалізацій AES.Designing principles of AES, their validity and clearness are given. The review of the most effective cryptanalytical attacks of Rijndael is given. Potential weaknesses in security of FIPS-197 leading to possible implementation of effective analytical attacks on the cipher in the future are considered. Performance of software and hardware implementation of FIPS-197 is given