Applications of cryptanalysis methods to some symmetric key primitives

Block ciphers and hash functions are important cryptographic primitives that are used to secure the exchange of critical information. With the continuous increase in computational power available to attackers, information security systems including their underlying primitives need continuous improvements. Various cryptanalysis methods are used to examine the strength and weakness of hash functions and block ciphers. In this work, we study the Lesamnta-512 and DHA-256 hash functions and the LAC authenticated encryption scheme. In particular, we study the resistance of the underlying block cipher of the Lesamnta-512 hash function against impossible differential attacks, the resistance of the DHA-256 compression function against collision attacks. We also study MAC forgery attacks against LAC. Throughout our analysis, we use different automated methods to facilitate our analysis. For the cryptanalysis of Lesamnta-512, two automated methods are studied for finding an impossible differential path with the maximum length. Using the obtained impossible differential path, impossible differential cryptanalysis of Lesamnta-512 is performed for 16 rounds. For the DHA-256 hash function, we used an algebraic method to find collisions for its 17-step reduced compression function by deriving difference equations for each step and then solving them when the conditions for collisions are imposed on these equations. For LAC, the differential behavior of the different operations of the cipher is represented into a set of linear equations. Then, a Mixed Integer Linear Programming (MILP) approach is used to find a high probability characteristic. This characteristic is then used to perform a forgery attack on LAC encryption authenticated cipher

New Representations of the AES Key Schedules

In this master thesis we present new representations of the AES key schedules, withsome implications to the security of AES-based schemes. In particular, we show that theAES-128 key schedule can be split into four independent parallel computations operatingon 32 bits, up to linear transformation. Surprisingly, this property has not been describedin the literature after more than 20 years of analysis of AES.As a consequence, iterating an odd number of key-schedule rounds results in a functionwith short cycles. This explains an observation of Khairallah on mixFeed, a second-roundcandidate in the NIST lightweight competition. Our analysis actually shows that hisforgery attack on mixFeed succeeds with probability 0.44, completely breaking the scheme.The same observation also leads to a novel attack on ALE, another AES-based AEADscheme

New Representations of the AES Key Schedule

International audienceIn this paper we present a new representation of the AES key schedule, with some implications to the security of AES-based schemes. In particular, we show that the AES-128 key schedule can be split into four independent parallel computations operating on 32 bits chunks, up to linear transformation. Surprisingly, this property has not been described in the literature after more than 20 years of analysis of AES. We show two consequences of our new representation, improving previous cryptanalysis results of AES-based schemes. First, we observe that iterating an odd number of key schedule rounds results in a function with short cycles. This explains an observation of Khairallah on mixFeed, a second-round candidate in the NIST lightweight competition. Our analysis actually shows that his forgery attack on mixFeed succeeds with probability 0.44 (with data complexity 220GB), breaking the scheme in practice. The same observation also leads to a novel attack on ALE, another AES-based AEAD scheme. Our new representation also gives efficient ways to combine information from the first sub-keys and information from the last sub-keys, in order to reconstruct the corresponding master keys. In particular we improve previous impossible differential attacks against AES-128

The INT-RUP Security of OCB with Intermediate (Parity) Checksum

OCB is neither integrity under releasing unvieried plaintext (INT-RUP) nor nonce-misuse resistant. The tag of OCB is generated by encrypting plaintext checksum, which is vulnerable in the INT-RUP security model. This paper focuses on the weakness of the checksum processing in OCB. We describe a new notion, called plaintext or ciphertext checksum (PCC), which is a generalization of plaintext checksum, and prove that all authenticated encryption schemes with PCC are insecure in the INT-RUP security model. Then we x the weakness of PCC, and describe a new approach called intermediate (parity) checksum (I(P)C for short). Based on the I(P)C approach, we provide two modied schemes OCB-IC and OCB-IPC to settle the INT-RUP of OCB in the nonce-misuse setting. OCB-IC and OCB-IPC are proven INT-RUP up to the birthday bound in the nonce-misuse setting if the underlying tweakable blockcipher is a secure mixed tweakable pseudorandom permutation (MTPRP). The security bound of OCB-IPC is tighter than OCB-IC. To improve their speed, we utilize a \prove-then-prune approach: prove security and instantiate with a scaled-down primitive (e.g., reducing rounds for the underlying primitive invocations)

Efficient Design Strategies Based on the AES Round Function

We show several constructions based on the AES round function that can be used as building blocks for MACs and authenticated encryption schemes. They are found by a search of the space of all secure constructions based on an efficient design strategy that has been shown to be one of the most optimal among all the considered. We implement the constructions on the latest Intel\u27s processors. Our benchmarks show that on Intel Skylake the smallest construction runs at 0.188 c/B, while the fastest at only 0.125 c/B, i.e. five times faster than AES-128

State of the Art in Lightweight Symmetric Cryptography

Lightweight cryptography has been one of the hot topics in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a lightweight algorithm is usually designed to satisfy in both the software and the hardware case. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (NIST...) and international (ISO/IEC...) standards are listed. We identified several trends in the design of lightweight algorithms, such as the designers\u27 preference for ARX-based and bitsliced-S-Box-based designs or simpler key schedules. We also discuss more general trade-offs facing the authors of such algorithms and suggest a clearer distinction between two subsets of lightweight cryptography. The first, ultra-lightweight cryptography, deals with primitives fulfilling a unique purpose while satisfying specific and narrow constraints. The second is ubiquitous cryptography and it encompasses more versatile algorithms both in terms of functionality and in terms of implementation trade-offs

Electromagnetic Side-Channel Resilience against Lightweight Cryptography

Side-channel attacks are an unpredictable risk factor in cryptography. Therefore, observations of leakages through physical parameters, i.e., power and electromagnetic (EM) radiation, etc., of digital devices are essential to minimise vulnerabilities associated with cryptographic functions. Compared to costs in the past, performing side-channel attacks using inexpensive test equipment is becoming a reality. Internet-of-Things (IoT) devices are resource-constrained, and lightweight cryptography is a novel approach in progress towards IoT security. Thus, it would provide sufficient data and privacy protection in such a constrained ecosystem. Therefore, cryptanalysis of physical leakages regarding these emerging ciphers is crucial. EM side-channel attacks seem to cause a significant impact on digital forensics nowadays. Within existing literature, power analysis seems to have considerable attention in research whereas other phenomena, such as EM, should continue to be appropriately evaluated in playing a role in forensic analysis.The emphasis of this thesis is on lightweight cryptanalysis. The preliminary investigations showed no Correlation EManalysis (CEMA) of PRESENT lightweight algorithm. The PRESENT is a block cipher that promises to be adequate for IoT devices, and is expected to be used commercially in the future. In an effort to fill in this research gap, this work examines the capabilities of a correlation EM side-channel attack against the PRESENT. For that, Substitution box (S-box) of the PRESENT was targeted for its 1st round with the use of a minimum number of EM waveforms compared to other work in literature, which was 256. The attack indicates the possibility of retrieving 8 bytes of the secret key out of 10 bytes. The experimental process started from a Simple EMA (SEMA) and gradually enhanced up to a CEMA. The thesis presents the methodology of the attack modelling and the observations followed by a critical analysis. Also, a technical review of the IoT technology and a comprehensive literature review on lightweight cryptology are included

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

MILP-Based Automatic Differential Searches for LEA and HIGHT

In this paper we use MILP technique for automatic search for differential characteristics of ARX ciphers LEA and HIGHT. We show that the MILP model of the differential property of modular addition with one constant input can be represented with a much less number of linear inequalities compared to the general case. Benefiting from this new developed model for HIGHT block cipher, we can achieve a reduction of 112r out of 480r in the total number of linear constraints for MILP model of r-round of HIGHT. This saving accelerates the searching process of HIGHT about twice as fast. We enjoy the MILP model to investigate the differential effect of these ciphers and provide a more accurate estimation for the differential probability, as well. Our observations show that despite HIGHT, LEA exhibits a strong differential effect. The details of differential effects are reflected in a more compact manner using the newly defined notion of probability polynomial. The results gained by this method improve or extend the previous results as follows. For LEA block cipher, we found more efficient 12 and 13-round differentials whose probabilities are better than the best previous 12 and 13-round differentials for a factor of about 2^6 and 2^7, respectively. In the case of HIGHT block cipher, we found two new 12 and 13-round differentials, though with the same best reported probabilities