A Key-Recovery Attack on SOBER-128

In this talk we consider linear approximations of layered cipher constructions with secret key-dependent constants that are inserted between layers, and where the layers have strong interdependency. Then clearly, averaging over the constant would clearly be wrong as it will break the interdependencies, and the Piling Up-lemma cannot be used. We show how to use linear approximations to divide the constants into constant classes, not necessary determined by a linear relation. As an example, a nonlinear filter generator SOBER-128 is considered and we show how to extend Matsui\u27s Algorithm I in this case. Also the possibility of using multiple linear approximations simultaneously is considered

Some Words on Cryptanalysis of Stream Ciphers

In the world of cryptography, stream ciphers are known as primitives used to ensure privacy over a communication channel. One common way to build a stream cipher is to use a keystream generator to produce a pseudo-random sequence of symbols. In such algorithms, the ciphertext is the sum of the keystream and the plaintext, resembling the one-time pad principal. Although the idea behind stream ciphers is simple, serious investigation of these primitives has started only in the late 20th century. Therefore, cryptanalysis and design of stream ciphers are important. In recent years, many designs of stream ciphers have been proposed in an effort to find a proper candidate to be chosen as a world standard for data encryption. That potential candidate should be proven good by time and by the results of cryptanalysis. Different methods of analysis, in fact, explain how a stream cipher should be constructed. Thus, techniques for cryptanalysis are also important. This thesis starts with an overview of cryptography in general, and introduces the reader to modern cryptography. Later, we focus on basic principles of design and analysis of stream ciphers. Since statistical methods are the most important cryptanalysis techniques, they will be described in detail. The practice of statistical methods reveals several bottlenecks when implementing various analysis algorithms. For example, a common property of a cipher to produce n-bit words instead of just bits makes it more natural to perform a multidimensional analysis of such a design. However, in practice, one often has to truncate the words simply because the tools needed for analysis are missing. We propose a set of algorithms and data structures for multidimensional cryptanalysis when distributions over a large probability space have to be constructed. This thesis also includes results of cryptanalysis for various cryptographic primitives, such as A5/1, Grain, SNOW 2.0, Scream, Dragon, VMPC, RC4, and RC4A. Most of these results were achieved with the help of intensive use of the proposed tools for cryptanalysis

Cryptanalysis of Symmetric Cryptographic Primitives

Symmetric key cryptographic primitives are the essential building blocks in modern information security systems. The overall security of such systems is crucially dependent on these mathematical functions, which makes the analysis of symmetric key primitives a goal of critical importance. The security argument for the majority of such primitives in use is only a heuristic one and therefore their respective security evaluation continually remains an open question. In this thesis, we provide cryptanalytic results for several relevant cryptographic hash functions and stream ciphers. First, we provide results concerning two hash functions: HAS-160 and SM3. In particular, we develop a new heuristic for finding compatible differential paths and apply it to the the Korean hash function standard HAS-160. Our heuristic leads to a practical second order collision attack over all of the HAS-160 function steps, which is the first practical-complexity distinguisher on this function. An example of a colliding quartet is provided. In case of SM3, which is a design that builds upon the SHA-2 hash and is published by the Chinese Commercial Cryptography Administration Office for the use in the electronic authentication service system, we study second order collision attacks over reduced-round versions and point out a structural slide-rotational property that exists in the function. Next, we examine the security of the following three stream ciphers: Loiss, SNOW 3G and SNOW 2.0. Loiss stream cipher is designed by Dengguo Feng et al. aiming to be implemented in byte-oriented processors. By exploiting some differential properties of a particular component utilized in the cipher, we provide an attack of a practical complexity on Loiss in the related-key model. As confirmed by our experimental results, our attack recovers 92 bits of the 128-bit key in less than one hour on a PC with 3 GHz Intel Pentium 4 processor. SNOW 3G stream cipher is used in 3rd Generation Partnership Project (3GPP) and the SNOW 2.0 cipher is an ISO/IEC standard (IS 18033-4). For both of these two ciphers, we show that the initialization procedure admits a sliding property, resulting in several sets of related-key pairs. In addition to allowing related-key key recovery attacks against SNOW 2.0 with 256-bit keys, the presented properties reveal non-random behavior of the primitives, yield related-key distinguishers for the two ciphers and question the validity of the security proofs of protocols based on the assumption that these ciphers behave like perfect random functions of the key-IV. Finally, we provide differential fault analysis attacks against two stream ciphers, namely, HC-128 and Rabbit. In this type of attacks, the attacker is assumed to have physical influence over the device that performs the encryption and is able to introduce random faults into the computational process. In case of HC-128, the fault model in which we analyze the cipher is the one in which the attacker is able to fault a random word of the inner state of the cipher but cannot control its exact location nor its new faulted value. Our attack requires about 7968 faults and recovers the complete internal state of HC-128 by solving a set of 32 systems of linear equations over Z2 in 1024 variables. In case of Rabbit stream cipher, the fault model in which the cipher is analyzed is the one in which a random bit of the internal state of the cipher is faulted, however, without control over the location of the injected fault. Our attack requires around 128 − 256 faults, precomputed table of size 2^41.6 bytes and recovers the complete internal state of Rabbit in about 2^38 steps

Обґрунтування стійкості потокового шифру «Струмок» відносно кореляційних атак над скінченними полями характеристики 2

The stream cipher SNOW 2.0 was proposed in 2002 as an alternative to the previous (weaker) version — SNOW. This cipher is standardized today and is one of the fastest program-oriented stream ciphers.The most powerful known attacks on SNOW 2.0 are correlation attacks, the essence of which is to form and solve systems of noised linear equations, in particular, over finite fields of order greater than 2. Despite some progress in this direction, remain unresolved problems related to the development of methods for evaluation and justification the security of SNOW 2.0-like stream ciphers against correlation attacks. To date, there are no methods that can justify the security of these ciphers against known correlation attacks directly from the parameters of their components. In addition, an attempt to apply known methods for evaluating the security of SNOW 2.0 against correlation attacks to some other stream ciphers (for example, Strumok, which is a candidate for National encryption standard of Ukraine) faces the difficulties associated with the size of tasks that have been solved. Unlike SNOW 2.0, constructed above the field of order , the Strumok cipher is set over a field of order , which leads to the impossibility of practical implementation of some known algorithms, the time complexity of which increases from  to  bit operations.The purpose of this article is to justify the security of Strumok against a wide class of correlation attacks, including known attacks on SNOW 2.0. The main result is a theorem that establishes an analytical bound for parameter characterizing the effectiveness of correlation attacks on SNOW 2.0-like ciphers in terms of their components. This allows in practice to evaluate and justify the security of such ciphers against correlation attacks over finite fields of characteristic 2.Потоковий шифр SNOW 2.0 запропонований у 2002 р. як альтернатива попередньої (більш слабкої) версії — SNOW. На сьогодні цей шифр є стандартизованим та являє собою один з найбільш швидких програмно орієнтованих потокових шифрів.Найбільш потужними з відомих атак на SNOW 2.0 є кореляційні атаки, сутність яких полягає у складанні та розв’язанні систем лінійних рівнянь із спотвореними правими частинами, зокрема, систем рівнянь над полями порядку більшого ніж 2. Не дивлячись на певний прогрес у цьому напрямі, залишаються не вирішеними задачі, пов’язані з розробкою методів оцінювання та обґрунтування стійкості SNOW 2.0-подібних потокових шифрів відносно кореляційних атак. На сьогодні відсутні методи, які дозволяють обґрунтовувати стійкість зазначених шифрів відносно відомих кореляційних атак безпосередньо за параметрами їх компонент. Крім того, спроба застосувати відомі методи оцінювання стійкості SNOW 2.0 відносно кореляційних атак до інших потокових шифрів (наприклад, шифру «Струмок», який запропоновано в ролі кандидата на національний стандарт шифрування України) наштовхується на труднощі, пов’язані з розміром задач, які треба розв’язувати для отримання оцінок. На відміну від SNOW 2.0, побудованого над полем порядку , шифр «Струмок» задається над полем порядку , що призводить до неможливості практичного застосування відомих певних алгоритмів, часова складність яких збільшується від  до  двійкових операцій.Мета даної роботи — обґрунтування стійкості шифру «Струмок» відносно широкого класу кореляційних атак, який охоплює, зокрема, відомі атаки на SNOW 2.0. Основним результатом є теорема, яка встановлює аналітичну оцінку параметра, що характеризує ефективність кореляційних атак на SNOW 2.0-подібні шифри у термінах їх компонент. Це дозволяє на практиці оцінювати та обґрунтовувати стійкість таких шифрів відносно кореляційних атак над полями характеристики 2

Обґрунтування стійкості потокового шифру "Струмок" відносно кореляційних атак над скінченними полями характеристики 2

Мета даної роботи — обґрунтування стійкості шифру «Струмок» відносно широкого класу кореляційних атак, який охоплює, зокрема, відомі атаки на SNOW 2.0. Основним результатом є теорема, яка встановлює аналітичну оцінку параметра, що характеризує ефективність кореляційних атак на SNOW 2.0-подібні шифри у термінах їх компонент. Це дозволяє на практиці оцінювати та обґрунтовувати стійкість таких шифрів відносно кореляційних атак над полями характеристики 2.The purpose of this article is to justify the security of Strumok against a wide class of correlation attacks, including known attacks on SNOW 2.0. The main result is a theorem that establishes an analytical bound for parameter characterizing the effectiveness of correlation attacks on SNOW 2.0-like ciphers in terms of their components. This allows in practice to evaluate and justify the security of such ciphers against correlation attacks over finite fields of characteristic 2

Contributions to Confidentiality and Integrity Algorithms for 5G

The confidentiality and integrity algorithms in cellular networks protect the transmission of user and signaling data over the air between users and the network, e.g., the base stations. There are three standardised cryptographic suites for confidentiality and integrity protection in 4G, which are based on the AES, SNOW 3G, and ZUC primitives, respectively. These primitives are used for providing a 128-bit security level and are usually implemented in hardware, e.g., using IP (intellectual property) cores, thus can be quite efficient. When we come to 5G, the innovative network architecture and high-performance demands pose new challenges to security. For the confidentiality and integrity protection, there are some new requirements on the underlying cryptographic algorithms. Specifically, these algorithms should: 1) provide 256 bits of security to protect against attackers equipped with quantum computing capabilities; and 2) provide at least 20 Gbps (Gigabits per second) speed in pure software environments, which is the downlink peak data rate in 5G. The reason for considering software environments is that the encryption in 5G will likely be moved to the cloud and implemented in software. Therefore, it is crucial to investigate existing algorithms in 4G, checking if they can satisfy the 5G requirements in terms of security and speed, and possibly propose new dedicated algorithms targeting these goals. This is the motivation of this thesis, which focuses on the confidentiality and integrity algorithms for 5G. The results can be summarised as follows.1. We investigate the security of SNOW 3G under 256-bit keys and propose two linear attacks against it with complexities 2172 and 2177, respectively. These cryptanalysis results indicate that SNOW 3G cannot provide the full 256-bit security level. 2. We design some spectral tools for linear cryptanalysis and apply these tools to investigate the security of ZUC-256, the 256-bit version of ZUC. We propose a distinguishing attack against ZUC-256 with complexity 2236, which is 220 faster than exhaustive key search. 3. We design a new stream cipher called SNOW-V in response to the new requirements for 5G confidentiality and integrity protection, in terms of security and speed. SNOW-V can provide a 256-bit security level and achieve a speed as high as 58 Gbps in software based on our extensive evaluation. The cipher is currently under evaluation in ETSI SAGE (Security Algorithms Group of Experts) as a promising candidate for 5G confidentiality and integrity algorithms. 4. We perform deeper cryptanalysis of SNOW-V to ensure that two common cryptanalysis techniques, guess-and-determine attacks and linear cryptanalysis, do not apply to SNOW-V faster than exhaustive key search. 5. We introduce two minor modifications in SNOW-V and propose an extreme performance variant, called SNOW-Vi, in response to the feedback about SNOW-V that some use cases are not fully covered. SNOW-Vi covers more use cases, especially some platforms with less capabilities. The speeds in software are increased by 50% in average over SNOW-V and can be up to 92 Gbps.Besides these works on 5G confidentiality and integrity algorithms, the thesis is also devoted to local pseudorandom generators (PRGs). 6. We investigate the security of local PRGs and propose two attacks against some constructions instantiated on the P5 predicate. The attacks improve existing results with a large gap and narrow down the secure parameter regime. We also extend the attacks to other local PRGs instantiated on general XOR-AND and XOR-MAJ predicates and provide some insight in the choice of safe parameters

Security Evaluation of Russian GOST Cipher

Survey of All Known Attacks on Russian Government Encryption Standard. In this talk we will survey some 30 recent attacks on the Russian GOST block cipher. Background: GOST cipher is the official encryption standard of the Russian federation, and also has special versions for the most important Russian banks. Until 2012 there was no attack on GOST when it is used in encryption with random keys. I have developed more than 30 different academic attacks on GOST the fastest has complexity of 2^118 to recover some but not all 256-bit keys generated at random, which will be presented for the first time at CCC conference. It happens only once per decade that a government standard is broken while it is still an official government standard (happened for DES and AES, no other cases known). All these are broken only in academic sense, for GOST most recent attacks are sliding into maybe arguably practical in 30 years from now instead of 200 years... Our earlier results were instrumental at ISO for rejecting GOST as an international encryption standard last year. Not more than 5+ block cihers have ever achieved this level of ISO standardisation in 25 years and it NEVER happended in history of ISO that a cipher got broken during the standardization process. Two main papers with 70+30 pages respectively which are http://eprint.iacr.org/2011/626 and http://eprint.iacr.org/2012/138. Two other papers have been already published in Cryptologia journal which specializes in serious military and government crypto. The talk will cover three main families of attacks on GOST: high-level transformations, low- level inversion/MITM/guess-then-software/algebraic attacks and advanced truncated differential cryptanalysis of GOST. Plan for the talk: First I cover the history of GOST with major Cold War history events as the necessary background. Then I describe in details three main families of attacks: 1) self-smilarity attacks which generalize slide fixed point and reflection attacks, and provide a large variety of ways in which the security of the full GOST cipher with 32 rounds can be reduced to the security of GOST with 8 rounds in a black box reduction and thus the task of the cryptanalys is split into two well-defined tasks. 2) detailed software/algebraic and MITM attacks on 8 rounds and how weak diffusion in GOST helps. 3) advanced truncated differential attacks on GOS

Combining MILP Modeling with Algebraic Bias Evaluation for Linear Mask Search: Improved Fast Correlation Attacks on SNOW

The Mixed Integer Linear Programming (MILP) technique has been widely applied in the realm of symmetric-key cryptanalysis. In this paper, we propose a new bitwise breakdown MILP modeling strategy for describing the linear propagation rules of modular addition-based operations. We apply such new techniques to cryptanalysis of the SNOW stream cipher family and find new linear masks: we use the MILP model to find many linear mask candidates among which the best ones are identified with particular algebraic bias evaluation techniques. For SNOW 3G, the correlation of the linear mask we found is the highest on record: such results are highly likely to be optimal according to our analysis. For SNOW 2.0, we find new masks matching the correlation record and many new sub-optimal masks applicable to improving correlation attacks. For SNOW-V/Vi, by investigating both bitwise and truncated linear masks, we find all linear masks having the highest correlation, and prove the optimum of the corresponding truncated patterns under the ``fewest active S-box preferred\u27\u27 strategy. By using the newly found linear masks, we give correlation attacks on the SNOW family with improved complexities. We emphasize that the newly proposed uniform MILP-aided framework can be potentially applied to analyze LFSR-FSM structures composed of modular addition and S-box as non-linear components

LOL: A Highly Flexible Framework for Designing Stream Ciphers

In this paper, we propose LOL, a general framework for designing blockwise stream ciphers, to achieve ultrafast software implementations for the ubiquitous virtual networks in 5G/6G environments and high-security level for post-quantum cryptography. The LOL framework is structurally strong, and all its components as well as the LOL framework itself enjoy high flexibility with various extensions. Following the LOL framework, we propose new stream cipher designs named LOL-MINI and LOL-DOUBLE with the support of the AES-NI and SIMD instructions: the former applies the basic LOL single mode while the latter uses the extended parallel-dual mode. Both LOL-MINI and LOL-DOUBLE support 256-bit key length and, according to our thorough evaluations, have 256-bit security margins against all existing cryptanalysis methods including differential, linear, integral, etc. The software performances of LOL-MINI and LOL-DOUBLE can reach 89 Gbps and 135 Gbps. In addition to pure encryptions, the LOL-MINI and LOL-DOUBLE stream ciphers can also be applied in a stream-cipher-then-MAC strategy to make an AEAD scheme