A Survey of ARX-based Symmetric-key Primitives

Addition Rotation XOR is suitable for fast implementation symmetric –key primitives, such as stream and block ciphers. This paper presents a review of several block and stream ciphers based on ARX construction followed by the discussion on the security analysis of symmetric key primitives where the best attack for every cipher was carried out. We benchmark the implementation on software and hardware according to the evaluation metrics. Therefore, this paper aims at providing a reference for a better selection of ARX design strategy

A Cipher-Agnostic Neural Training Pipeline with Automated Finding of Good Input Differences

Neural cryptanalysis is the study of cryptographic primitives through machine learning techniques. Following Gohr’s seminal paper at CRYPTO 2019, a focus has been placed on improving the accuracy of such distinguishers against specific primitives, using dedicated training schemes, in order to obtain better key recovery attacks based on machine learning. These distinguishers are highly specialized and not trivially applicable to other primitives. In this paper, we focus on the opposite problem: building a generic pipeline for neural cryptanalysis. Our tool is composed of two parts. The first part is an evolutionary algorithm for the search of good input differences for neural distinguishers. The second part is DBitNet, a neural distinguisher architecture agnostic to the structure of the cipher. We show that this fully automated pipeline is competitive with a highly specialized approach, in particular for SPECK32, and SIMON32. We provide new neural distinguishers for several primitives (XTEA, LEA, HIGHT, SIMON128, SPECK128) and improve over the state-of-the-art for PRESENT, KATAN, TEA and GIMLI

Mind the Gap - A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis

Resistance against differential cryptanalysis is an important design criteria for any modern block cipher and most designs rely on finding some upper bound on probability of single differential characteristics. However, already at EUROCRYPT'91, Lai et al. comprehended that differential cryptanalysis rather uses differentials instead of single characteristics. In this paper, we consider exactly the gap between these two approaches and investigate this gap in the context of recent lightweight cryptographic primitives. This shows that for many recent designs like Midori, Skinny or Sparx one has to be careful as bounds from counting the number of active S-boxes only give an inaccurate evaluation of the best differential distinguishers. For several designs we found new differential distinguishers and show how this gap evolves. We found an 8-round differential distinguisher for Skinny-64 with a probability of 2−56.932−56.93, while the best single characteristic only suggests a probability of 2−722−72. Our approach is integrated into publicly available tools and can easily be used when developing new cryptographic primitives. Moreover, as differential cryptanalysis is critically dependent on the distribution over the keys for the probability of differentials, we provide experiments for some of these new differentials found, in order to confirm that our estimates for the probability are correct. While for Skinny-64 the distribution over the keys follows a Poisson distribution, as one would expect, we noticed that Speck-64 follows a bimodal distribution, and the distribution of Midori-64 suggests a large class of weak keys

Quantum entropic security and approximate quantum encryption

We present full generalisations of entropic security and entropic indistinguishability to the quantum world where no assumption but a limit on the knowledge of the adversary is made. This limit is quantified using the quantum conditional min-entropy as introduced by Renato Renner. A proof of the equivalence between the two security definitions is presented. We also provide proofs of security for two different cyphers in this model and a proof for a lower bound on the key length required by any such cypher. These cyphers generalise existing schemes for approximate quantum encryption to the entropic security model.Comment: Corrected mistakes in the proofs of Theorems 3 and 6; results unchanged. To appear in IEEE Transactions on Information Theory

Deep Learning based Cryptanalysis of Stream Ciphers

Conventional cryptanalysis techniques necessitate an extensive analysis of non-linear functions defining the relationship of plain data, key, and corresponding cipher data. These functions have very high degree terms and make cryptanalysis work extremely difficult. The advent of deep learning algorithms along with the better and efficient computing resources has brought new opportunities to analyze cipher data in its raw form. The basic principle of designing a cipher is to introduce randomness into it, which means the absence of any patterns in cipher data. Due to this fact, the analysis of cipher data in its raw form becomes essential. Deep learning algorithms are different from conventional machine learning algorithms as the former directly work on raw data without any formal requirement of feature selection or feature extraction steps. With these facts and the assumption of the suitability of employing deep learning algorithms for cipher data, authors introduced a deep learning based method for finding biases in stream ciphers in the black-box analysis model. The proposed method has the objective to predict the occurrence of an output bit/byte at a specific location in the stream cipher generated keystream. The authors validate their method on stream cipher RC4 and its improved variant RC4A and discuss the results in detail. Further, the authors apply the method on two more stream ciphers namely Trivium and TRIAD. The proposed method can find bias in RC4 and shows the absence of this bias in its improved variant and other two ciphers. Focusing on RC4, the authors present a comparative analysis with some existing methods in terms of approach and observations and showed that their process is more straightforward and less complicated than the existing ones