MILP-aided Cryptanalysis of Round Reduced ChaCha

The inclusion of ChaCha20 and Poly1305 into the list of supported ciphers in TLS 1.3 necessitates a security evaluation of those ciphers with all the state-of-the-art tools and innovative cryptanalysis methodologies. Mixed Integer Linear Programming (MILP) has been successfully applied to find more accurate characteristics of several ciphers such as SIMON and SPECK. In our research, we use MILP-aided cryptanalysis to search for differential characteristics, linear approximations and integral properties of ChaCha. We are able to find differential trails up to 2 rounds and linear trails up to 1 round. However, no integral distinguisher has been found, even for 1 round

Optimal Forgeries Against Polynomial-Based MACs and GCM

Polynomial-based authentication algorithms, such as GCM and Poly1305, have seen widespread adoption in practice. Due to their importance, a significant amount of attention has been given to understanding and improving both proofs and attacks against such schemes. At EUROCRYPT 2005, Bernstein published the best known analysis of the schemes when instantiated with PRPs, thereby establishing the most lenient limits on the amount of data the schemes can process per key. A long line of work, initiated by Handschuh and Preneel at CRYPTO 2008, finds the best known attacks, advancing our understanding of the fragility of the schemes. Yet surprisingly, no known attacks perform as well as the predicted worst-case attacks allowed by Bernstein\u27s analysis, nor has there been any advancement in proofs improving Bernstein\u27s bounds, and the gap between attacks and analysis is significant. We settle the issue by finding a novel attack against polynomial-based authentication algorithms using PRPs, and combine it with new analysis, to show that Bernstein\u27s bound, and our attacks, are optimal

Security scheme for IoT environments in smart grids

El siguiente artículo propone un esquema de seguridad aplicado a las redes inteligentes, que utiliza diferentes mecanismos de seguridad para cumplir con los requisitos de confidencialidad, autenticación e integridad en una red implementada con nodos Raspberry Pi 3. El estudio presenta la evaluación de diferentes modos de cifrado para establecer los parámetros finales en la construcción de un esquema de seguridad, satisfaciendo los requisitos especificados por NTC 6079 para la infraestructura de redes inteligentes basada en la comparación métrica desarrollada en varios criterios de rendimiento.The following paper proposes a security scheme applied to smart grids, using different security mechanisms to comply with confidentiality, authentication, and integrity aspects in a grid implemented with Raspberry Pi 3 nodes. The study presents the evaluation of different encryption modes to establish the final parameters in the construction of a security scheme, satisfying NTC 6079 specified requirements for smart grids infrastructure based on metric comparison developed on various performance criteria

Automatic Search of Bit-Based Division Property for ARX Ciphers and Word-Based Division Property

Division property is a generalized integral property proposed by Todo at Eurocrypt 2015. Previous tools for automatic searching are mainly based on the Mixed Integer Linear Programming (MILP) method and trace the division property propagation at the bit level. In this paper, we propose automatic tools to detect ARX ciphers\u27 division property at the bit level and some specific ciphers\u27 division property at the word level. For ARX ciphers, we construct the automatic searching tool relying on Boolean Satisfiability Problem (SAT) instead of MILP, since SAT method is more suitable in the search of ARX ciphers\u27 differential/linear characteristics. The propagation of division property is translated into a system of logical equations in Conjunctive Normal Form (CNF). Some logical equations can be dynamically adjusted according to different initial division properties and stopping rule, while the others corresponding to r-round propagations remain the same. Moreover, our approach can efficiently identify some optimized distinguishers with lower data complexity. As a result, we obtain a 17-round distinguisher for SHACAL-2, which gains four more rounds than previous work, and an 8-round distinguisher for LEA, which covers one more round than the former one. For word-based division property, we develop the automatic search based on Satisfiability Modulo Theories (SMT), which is a generalization of SAT. We model division property propagations of basic operations and S-boxes by logical formulas, and turn the searching problem into an SMT problem. With some available solvers, we achieve some new distinguishers. For CLEFIA, 10-round distinguishers are obtained, which cover one more round than the previous work. For the internal block cipher of Whirlpool, the data complexities of 4/5-round distinguishers are improved. For Rijndael-192 and Rijndael-256, 6-round distinguishers are presented, which attain two more rounds than the published ones. Besides, the integral attacks for CLEFIA are improved by one round with the newly obtained distinguishers

New Insights On Differential And Linear Bounds Using Mixed Integer Linear Programming (Full Version)

Mixed Integer Linear Programming (MILP) is a very common method of modelling differential and linear bounds for ciphers, as it automates the process of finding the best differential trail or linear approximation. The Convex Hull (CH) modelling, introduced by Sun et al. (Eprint 2013/Asiacrypt 2014), is a popular method in this regard, which can convert the conditions corresponding to a small (4-bit) SBox to MILP constraints efficiently. In our work, we study this modelling with CH in more depth and observe a previously unreported problem associated with it. Our analysis shows, there are SBoxes for which the CH modelling can yield incorrect modelling. As such, using the CH modelling may lead to incorrect differential or linear bounds. This arises from the observation that although the CH is generated for a certain set of points, there can be points outside this set which also satisfy all the inequalities of the CH. As apparently no variant of the CH modelling can circumvent this problem, we propose a new modelling for differential and linear bounds. Our modelling makes use of every points of interest individually. This modelling works for an arbitrary SBox, and is able to find the exact bound. Additionally, we also explore the possibility of using redundant constraints, such that the run time for an MILP solver can be reduced while keeping the optimal result unchanged. For this purpose, we revisit the CH modelling and use the CH constraints as redundant constraints (on top of our usual constraints, which ensure the aforementioned problem does not occur). In fact, we choose two heuristics from the convex hull modelling. The first uses all the inequalities of a convex hull, while second uses a reduced number of inequalities. Apart from that, we also propose to use the solutions for the smaller rounds as another heuristic to find the optimal bound for a higher round. With our experiments on round-reduced GIFT-128, we show it is possible to reduce the run time a few folds using a suitable choice of redundant constraints. Further, we observe the necessity to consider separate heuristics for the differential and linear cases. We also present the optimal linear bounds for 11- and 12-rounds of GIFT-128, extending from the best-known result of 10-rounds

Machine Learning Assisted Differential Distinguishers For Lightweight Ciphers (Extended Version)

At CRYPTO 2019, Gohr first introduces the deep learning based cryptanalysis on round-reduced SPECK. Using a deep residual network, Gohr trains several neural network based distinguishers on 8-round SPECK-32/64. The analysis follows an `all-in-one\u27 differential cryptanalysis approach, which considers all the output differences effect under the same input difference. Usually, the all-in-one differential cryptanalysis is more effective compared to the one using only one single differential trail. However, when the cipher is non-Markov or its block size is large, it is usually very hard to fully compute. Inspired by Gohr\u27s work, we try to simulate the all-in-one differentials for non-Markov ciphers through machine learning. Our idea here is to reduce a distinguishing problem to a classification problem, so that it can be efficiently managed by machine learning. As a proof of concept, we show several distinguishers for four high profile ciphers, each of which works with trivial complexity. In particular, we show differential distinguishers for 8-round Gimli-Hash, Gimli-Cipher and Gimli-Permutation; 3-round Ascon-Permutation; 10-round Knot-256 permutation and 12-round Knot-512 permutation; and 4-round Chaskey-Permutation. Finally, we explore more on choosing an efficient machine learning model and observe that only a three layer neural network can be used. Our analysis shows the attacker is able to reduce the complexity of finding distinguishers by using machine learning techniques

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

SAND: an AND-RX Feistel lightweight block cipher supporting S-box-based security evaluations

We revisit designing AND-RX block ciphers, that is, the designs assembled with the most fundamental binary operations---AND, Rotation and XOR operations and do not rely on existing units. Likely, the most popular representative is the NSA cipher \texttt{SIMON}, which remains one of the most efficient designs, but suffers from difficulty in security evaluation. As our main contribution, we propose \texttt{SAND}, a new family of lightweight AND-RX block ciphers. To overcome the difficulty regarding security evaluation, \texttt{SAND} follows a novel design approach, the core idea of which is to restrain the AND-RX operations to be within nibbles. By this, \texttt{SAND} admits an equivalent representation based on a $4\times8$ \textit{synthetic S-box} ($SSb$). This enables the use of classical S-box-based security evaluation approaches. Consequently, for all versions of \texttt{SAND}, (a) we evaluated security bounds with respect to differential and linear attacks, and in both single-key and related-key scenarios; (b) we also evaluated security against impossible differential and zero-correlation linear attacks. This better understanding of the security enables the use of a relatively simple key schedule, which makes the ASIC round-based hardware implementation of \texttt{SAND} to be one of the state-of-art Feistel lightweight ciphers. As to software performance, due to the natural bitslice structure, \texttt{SAND} reaches the same level of performance as \texttt{SIMON} and is among the most software-efficient block ciphers

Cryptanalysis of Some Block Cipher Constructions

When the public-key cryptography was introduced in the 1970s, symmetric-key cryptography was believed to soon become outdated. Nevertheless, we still heavily rely on symmetric-key primitives as they give high-speed performance. They are used to secure mobile communication, e-commerce transactions, communication through virtual private networks and sending electronic tax returns, among many other everyday activities. However, the security of symmetric-key primitives does not depend on a well-known hard mathematical problem such as the factoring problem, which is the basis of the RSA public-key cryptosystem. Instead, the security of symmetric-key primitives is evaluated against known cryptanalytic techniques. Accordingly, the topic of furthering the state-of-the-art of cryptanalysis of symmetric-key primitives is an ever-evolving topic. Therefore, this thesis is dedicated to the cryptanalysis of symmetric-key cryptographic primitives. Our focus is on block ciphers as well as hash functions that are built using block ciphers. Our contributions can be summarized as follows: First, we tackle the limitation of the current Mixed Integer Linear Programming (MILP) approaches to represent the differential propagation through large S-boxes. Indeed, we present a novel approach that can efficiently model the Difference Distribution Table (DDT) of large S-boxes, i.e., 8-bit S-boxes. As a proof of the validity and efficiency of our approach, we apply it on two out of the seven AES-round based constructions that were recently proposed in FSE 2016. Using our approach, we improve the lower bound on the number of active S-boxes of one construction and the upper bound on the best differential characteristic of the other. Then, we propose meet-in-the-middle attacks using the idea of efficient differential enumeration against two Japanese block ciphers, i.e., Hierocrypt-L1 and Hierocrypt-3. Both block ciphers were submitted to the New European Schemes for Signatures, Integrity, and Encryption (NESSIE) project, selected as one of the Japanese e-Government recommended ciphers in 2003 and reselected in the candidate recommended ciphers list in 2013. We construct five S-box layer distinguishers that we use to recover the master keys of reduced 8 S-box layer versions of both block ciphers. In addition, we present another meet-in-the-middle attack on Hierocrypt-3 with slightly higher time and memory complexities but with much less data complexity. Afterwards, we shift focus to another equally important cryptanalytic attack, i.e., impossible differential attack. SPARX-64/128 is selected among the SPARX family that was recently proposed to provide ARX based block cipher whose security against differential and linear cryptanalysis can be proven. We assess the security of SPARX-64/128 against impossible differential attack and show that it can reach the same number of rounds the division-based integral attack, proposed by the designers, can reach. Then, we pick Kiasu-BC as an example of a tweakable block cipher and prove that, on contrary to its designers’ claim, the freedom in choosing the publicly known tweak decreases its security margin. Lastly, we study the impossible differential properties of the underlying block cipher of the Russian hash standard Streebog and point out the potential risk in using it as a MAC scheme in the secret-IV mode