83 research outputs found
Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V and SNOW-Vi
This paper presents distinguishing and key recovery attacks on the reduced-round SNOW-V and SNOW-Vi, which are stream ciphers proposed for standard encryption schemes for the 5G mobile communication system. First, we construct a Mixed-Integer Linear Programming (MILP) model to search for integral characteristics using the division property, and find the best integral distinguisher in the 3-, 4-, 5-round SNOW-V, and 5-round SNOW-Vi with time complexities of , , , and , respectively. Next, we construct a bit-level MILP model to efficiently search for differential characteristics, and find the best differential characteristics in the 3- and 4-round versions. These characteristics lead to the 3-round differential distinguishers for SNOW-V and SNOW-Vi with time complexities of and and the 4-round differential distinguishers for SNOW-V and SNOW-Vi with time complexities of and , respectively. Then, we consider single-bit and dual-bit differential cryptanalysis, which is inspired by the existing study on Salsa and ChaCha. By carefully choosing the IV values and differences, we can construct practical bit-wise differential distinguishers for the 4-round SNOW-V, 4-, and 5-round SNOW-Vi with time complexities of , , and , respectively. Finally, we improve the existing differential attack based on probabilistic neutral bits, which is also inspired by the existing study on Salsa and ChaCha. As a result, we present the best key recovery attack on the 4-round SNOW-V and SNOW-Vi with time complexities of and and data complexities of and , respectively. Consequently, we significantly improve the existing best attacks in the initialization phase by the designers
Automated Design Space Exploration and Datapath Synthesis for Finite Field Arithmetic with Applications to Lightweight Cryptography
Today, emerging technologies are reaching astronomical proportions. For example, the Internet
of Things has numerous applications and consists of countless different devices using different
technologies with different capabilities. But the one invariant is their connectivity. Consequently,
secure communications, and cryptographic hardware as a means of providing them, are faced
with new challenges. Cryptographic algorithms intended for hardware implementations must be
designed with a good trade-off between implementation efficiency and sufficient cryptographic
strength. Finite fields are widely used in cryptography. Examples of algorithm design choices
related to finite field arithmetic are the field size, which arithmetic operations to use, how to
represent the field elements, etc. As there are many parameters to be considered and analyzed, an
automation framework is needed.
This thesis proposes a framework for automated design, implementation and verification of finite
field arithmetic hardware. The underlying motif throughout this work is “math meets hardware”.
The automation framework is designed to bring the awareness of underlying mathematical
structures to the hardware design flow. It is implemented in GAP, an open source computer algebra
system that can work with finite fields and has symbolic computation capabilities. The framework
is roughly divided into two phases, the architectural decisions and the automated design genera-
tion. The architectural decisions phase supports parameter search and produces a list of candidates.
The automated design generation phase is invoked for each candidate, and the generated VHDL
files are passed on to conventional synthesis tools. The candidates and their implementation results
form the design space, and the framework allows rapid design space exploration in a systematic
way. In this thesis, design space exploration is focused on finite field arithmetic.
Three distinctive features of the proposed framework are the structure of finite fields, tower field
support, and on the fly submodule generation. Each finite field used in the design is represented as
both a field and its corresponding vector space. It is easy for a designer to switch between fields
and vector spaces, but strict distinction of the two is necessary for hierarchical designs. When an
expression is defined over an extension field, the top-level module contains element signals and
submodules for arithmetic operations on those signals. The submodules are generated with
corresponding vector signals and the arithmetic operations are now performed on the coordinates.
For tower fields, the submodules are generated for the subfield operations, and the design is generated
in a top-down fashion. The binding of expressions to the appropriate finite fields or vector spaces
and a set of customized methods allow the on the fly generation of expressions for implementation
of arithmetic operations, and hence submodule generation.
In the light of NIST Lightweight Cryptography Project (LWC), this work focuses mainly on small
finite fields. The thesis illustrates the impact of hardware implementation results during the design
process of WAGE, a Round 2 candidate in the NIST LWC standardization competition. WAGE
is a hardware oriented authenticated encryption scheme. The parameter selection for WAGE was
aimed at balancing the security and hardware implementation area, using hardware implementation
results for many design decisions, for example field size, representation of field elements, etc.
In the proposed framework, the components of WAGE are used as an example to illustrate different
automation flows and demonstrate the design space exploration on a real-world algorithm
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms
In this thesis, I present the research I did with my co-authors on several aspects of symmetric cryptography from May 2013 to December 2016, that is, when I was a PhD student at the university of Luxembourg under the supervision of Alex Biryukov. My research has spanned three different areas of symmetric cryptography.
In Part I of this thesis, I present my work on lightweight cryptography. This field of study investigates the cryptographic algorithms that are suitable for very constrained devices with little computing power such as RFID tags and small embedded processors such as those used in sensor networks. Many such algorithms have been proposed recently, as evidenced by the survey I co-authored on this topic. I present this survey along with attacks against three of those algorithms, namely GLUON, PRINCE and TWINE. I also introduce a new lightweight block cipher called SPARX which was designed using a new method to justify its security: the Long Trail Strategy.
Part II is devoted to S-Box reverse-engineering, a field of study investigating the methods recovering the hidden structure or the design criteria used to build an S-Box. I co-invented several such methods: a statistical analysis of the differential and linear properties which was applied successfully to the S-Box of the NSA block cipher Skipjack, a structural attack against Feistel networks called the yoyo game and the TU-decomposition. This last technique allowed us to decompose the S-Box of the last Russian standard block cipher and hash function as well as the only known solution to the APN problem, a long-standing open question in mathematics.
Finally, Part III presents a unifying view of several fields of symmetric cryptography by interpreting them as purposefully hard. Indeed, several cryptographic algorithms are designed so as to maximize the code size, RAM consumption or time taken by their implementations. By providing a unique framework describing all such design goals, we could design modes of operations for building any symmetric primitive with any form of hardness by combining secure cryptographic building blocks with simple functions with the desired form of hardness called plugs. Alex Biryukov and I also showed that it is possible to build plugs with an asymmetric hardness whereby the knowledge of a secret key allows the privileged user to bypass the hardness of the primitive
Hardware Implementations of the WG-16 Stream Cipher with Composite Field Arithmetic
The WG stream cipher family consists of stream ciphers
based on the Welch-Gong (WG) transformations that are used as a nonlinear filter applied to the output of a linear feedback shift register (LFSR). The aim of this thesis is an exploration of the design space of the WG-16 stream cipher. Five different representations of the field elements were analyzed, namely the polynomial basis representation, the normal basis representation and three isomorphic tower field constructions of F216: F(((22)2)2)2, F(24)4 and F(28)2. Each design option begins with an in-depth description of different field constructions and their impact on the top-level WG transformation circuit. Normal basis representation of elements for each level of the tower was chosen for field constructions F(((22)2)2)2 and F(24)4, and a mixed basis, with polynomial basis for the lower and normal basis for the higher level of the tower for F(28)2. Representation of field elements affects the field arithmetic, which in turn affects the entire design. Targeting high throughput, pipelined architectures were developed, and pipelining was based on the particular field construction: each extension over the prime field offers a new pipelining possibility. Pipelining at a lower level of the tower field reduces the clock period. Most flexible pipelining options are possible for F(((22)2)2)2, a highly regular
construction, which permits an algebraic optimization of the WG transformation resulting in two multiplications being removed. High speed, achieved by adequate pipelining granularity, and smaller area due to removed multipliers deem the F(((22)2)2)2 to be the most suitable field construction for the implementation of WG-16. The best WG-16 modules achieve a throughput of 222 Mbit/s with 476 slices used on the Xilinx Spartan-6 FPGA device xc6slx9 (using Xilinx Synthesis
Tool (XST) for synthesis and ISE for implementation [47]) and a throughput of 529 Mbit/s with area cost of 12215 GEs for ASIC implementation, using the 65 nm CMOS technology (using Synopsys Design Compiler for synthesis [45] and Cadence SoC Encounter to complete the Place-and-Route phase)
Lightweight symmetric cryptography
The Internet of Things is one of the principal trends in information
technology nowadays. The main idea behind this concept is that devices
communicate autonomously with each other over the Internet. Some of
these devices have extremely limited resources, such as power and energy,
available time for computations, amount of silicon to produce the chip,
computational power, etc. Classical cryptographic primitives are often
infeasible for such constrained devices. The goal of lightweight
cryptography is to introduce cryptographic solutions with reduced resource
consumption, but with a sufficient security level.
Although this research area was of great interest to academia during the
last years and a large number of proposals for lightweight cryptographic
primitives have been introduced, almost none of them are used in real-word.
Probably one of the reasons is that, for academia, lightweight usually
meant to design cryptographic primitives such that they require minimal
resources among all existing solutions. This exciting research problem
became an important driver which allowed the academic community to better
understand many cryptographic design concepts and to develop new attacks.
However, this criterion does not seem to be the most important one for
industry, where lightweight may be considered as "rightweight". In other
words, a given cryptographic solution just has to fit the constraints of
the specific use cases rather than to be the smallest. Unfortunately,
academic researchers tended to neglect vital properties of the particular
types of devices, into which they intended to apply their primitives. That
is, often solutions were proposed where the usage of some resources was
reduced to a minimum. However, this was achieved by introducing new costs
which were not appropriately taken into account or in such a way that the
reduction of costs also led to a decrease in the security level. Hence,
there is a clear gap between academia and industry in understanding what
lightweight cryptography is. In this work, we are trying to fill some of
these gaps. We carefully investigate a broad number of existing lightweight
cryptographic primitives proposed by academia including authentication
protocols, stream ciphers, and block ciphers and evaluate their
applicability for real-world scenarios. We then look at how individual
components of design of the primitives influence their cost and summarize
the steps to be taken into account when designing primitives for concrete
cost optimization, more precisely - for low energy consumption. Next, we
propose new implementation techniques for existing designs making them more
efficient or smaller in hardware without the necessity to pay any
additional costs. After that, we introduce a new stream cipher design
philosophy which enables secure stream ciphers with smaller area size than
ever before and, at the same time, considerably higher throughput compared
to any other encryption schemes of similar hardware cost. To demonstrate
the feasibility of our findings we propose two ciphers with the smallest
area size so far, namely Sprout and Plantlet, and the most energy
efficient encryption scheme called Trivium-2. Finally, this thesis solves
a concrete industrial problem. Based on standardized cryptographic
solutions, we design an end-to-end data-protection scheme for low power
networks. This scheme was deployed on the water distribution network in the
City of Antibes, France
Analyse et Conception d'Algorithmes de Chiffrement LĂ©gers
The work presented in this thesis has been completed as part of the FUI Paclido project, whose aim is to provide new security protocols and algorithms for the Internet of Things, and more specifically wireless sensor networks. As a result, this thesis investigates so-called lightweight authenticated encryption algorithms, which are designed to fit into the limited resources of constrained environments. The first main contribution focuses on the design of a lightweight cipher called Lilliput-AE, which is based on the extended generalized Feistel network (EGFN) structure and was submitted to the Lightweight Cryptography (LWC) standardization project initiated by NIST (National Institute of Standards and Technology). Another part of the work concerns theoretical attacks against existing solutions, including some candidates of the nist lwc standardization process. Therefore, some specific analyses of the Skinny and Spook algorithms are presented, along with a more general study of boomerang attacks against ciphers following a Feistel construction.Les travaux présentés dans cette thèse s’inscrivent dans le cadre du projet FUI Paclido, qui a pour but de définir de nouveaux protocoles et algorithmes de sécurité pour l’Internet des Objets, et plus particulièrement les réseaux de capteurs sans fil. Cette thèse s’intéresse donc aux algorithmes de chiffrements authentifiés dits à bas coût ou également, légers, pouvant être implémentés sur des systèmes très limités en ressources. Une première partie des contributions porte sur la conception de l’algorithme léger Lilliput-AE, basé sur un schéma de Feistel généralisé étendu (EGFN) et soumis au projet de standardisation international Lightweight Cryptography (LWC) organisé par le NIST (National Institute of Standards and Technology). Une autre partie des travaux se concentre sur des attaques théoriques menées contre des solutions déjà existantes, notamment un certain nombre de candidats à la compétition LWC du NIST. Elle présente donc des analyses spécifiques des algorithmes Skinny et Spook ainsi qu’une étude plus générale des attaques de type boomerang contre les schémas de Feistel
Proceedings of AUTOMATA 2011 : 17th International Workshop on Cellular Automata and Discrete Complex Systems
International audienceThe proceedings contain full (reviewed) papers and short (non reviewed) papers that were presented at the workshop
- …