Practical Attacks on Reduced-Round AES

In this paper we investigate the security of 5-round AES against two different attacks in an adaptive setting. We present a practical key-recovery attack on 5-round AES with a secret s-box that requires $2^{32}$ adaptively chosen ciphertexts, which is as far as we know a new record. In addition, we present a new and practical key-independent distinguisher for 5-round AES which requires $2^{27.2}$ adaptively chosen ciphertexts. While the data complexity of this distinguisher is in the same range as the current best 5-round distinguisher, it exploits new structural properties of 5-round AES

Security Verification of Low-Trust Architectures

Low-trust architectures work on, from the viewpoint of software, always-encrypted data, and significantly reduce the amount of hardware trust to a small software-free enclave component. In this paper, we perform a complete formal verification of a specific low-trust architecture, the Sequestered Encryption (SE) architecture, to show that the design is secure against direct data disclosures and digital side channels for all possible programs. We first define the security requirements of the ISA of SE low-trust architecture. Looking upwards, this ISA serves as an abstraction of the hardware for the software, and is used to show how any program comprising these instructions cannot leak information, including through digital side channels. Looking downwards this ISA is a specification for the hardware, and is used to define the proof obligations for any RTL implementation arising from the ISA-level security requirements. These cover both functional and digital side-channel leakage. Next, we show how these proof obligations can be successfully discharged using commercial formal verification tools. We demonstrate the efficacy of our RTL security verification technique for seven different correct and buggy implementations of the SE architecture.Comment: 19 pages with appendi

Lower data attacks on Advanced Encryption Standard

The Advanced Encryption Standard (AES) is one of the most commonly used and analyzed encryption algorithms. In this work, we present new combinations of some prominent attacks on AES, achieving new records in data requirements among attacks, utilizing only $2^4$ and $2^{16}$ chosen plaintexts (CP) for 6-round and 7-round AES-192/256 respectively. One of our attacks is a combination of a meet-in-the-middle (MiTM) attack with a square attack mounted on 6-round AES-192/256 while another attack combines an MiTM attack and an integral attack, utilizing key space partitioning technique, on 7-round AES-192/256. Moreover, we illustrate that impossible differential (ID) attacks can be viewed as the dual of MiTM attacks in certain aspects which enables us to recover the correct key using the meet-in-the-middle (MiTM) technique instead of sieving through all potential wrong keys in our ID attack. Furthermore, we introduce the constant guessing technique in the inner rounds which significantly reduces the number of key bytes to be searched. The time and memory complexities of our attacks remain marginal

Multi-shape symmetric encryption mechanism for nongeneric attacks mitigation

Static cyphers use static transformations for encryption and decryption. Therefore, the attacker will have some knowledge that can be exploited to construct assaults since the transformations are static. The class of attacks which target a specific cypher design are called Non-Generic Attacks. Whereby, dynamic cyphers can be utilised to mitigate non-generic attacks. Dynamic cyphers aim at mitigating non-generic attacks by changing how the cyphers work according to the value of the encryption key. However, existing dynamic cyphers either degrade the performance or decrease the cypher’s actual security. Hence, this thesis introduces a Multi-Shape Symmetric Encryption Mechanism (MSSEM) which is capable of mitigating non-generic attacks by eliminating the opponents’ leverage of accessing the exact operation details. The base cyphers that have been applied in the proposed MSSEM are the Advanced Encryption Standard (AES) competition finalists, namely Rijndael, Serpent, MARS, Twofish, and RC6. These cyphers satisfy three essential criteria, such as security, performance, and expert input. Moreover, the modes of operation used by the MSSEM are the secure modes suggested by the National Institute of Standards and Technology, namely, Cipher Block Chaining (CBC), Cipher Feedback Mode (CFB), Output Feedback Mode (OFB), and Counter (CTR). For the proposed MSSEM implementation, the sender initially generates a random key using a pseudorandom number generator such as Blum Blum Shub (BBS) or a Linear Congruential Generator (LCG). Subsequently, the sender securely shares the key with the legitimate receiver. Besides that, the proposed MSSEM has an entity called the operation table that includes sixty different cypher suites. Each cypher suite has a specific cypher and mode of operation. During the run-time, one cypher suite is randomly selected from the operation table, and a new key is extracted from the master key with the assistance of SHA-256. The suite, as well as the new key, is allowed to encrypt one message. While each of the messages produces a new key and cypher suite. Thus, no one except communicating parties can access the encryption keys or the cypher suites. Furthermore, the security of MSSEM has been evaluated and mathematically proven to resist known and unknown attacks. As a result, the proposed MSSEM successfully mitigates unknown non-generic attacks by a factor of 2−6. In addition, the proposed MSSEM performance is better than MODEM since MODEM generates 4650 milliseconds to encrypt approximately 1000 bytes, whereas MSSEM needs only 0.14 milliseconds. Finally, a banking system simulation has been tested with the proposed MSSEM in order to secure inbound and outbound system traffic

Pholkos -- Efficient Large-state Tweakable Block Ciphers from the AES Round Function

With the dawn of quantum computers, higher security than $128$ bits has become desirable for primitives and modes. During the past decade, highly secure hash functions, MACs, and encryption schemes have been built primarily on top of keyless permutations, which simplified their analyses and implementation due to the absence of a key schedule. However, the security of these modes is most often limited to the birthday bound of the state size, and their analysis may require a different security model than the easier-to-handle secret-permutation setting. Yet, larger state and key sizes are desirable not only for permutations but also for other primitives such as block ciphers. Using the additional public input of tweakable block ciphers for domain separation allows for exceptionally high security or performance as recently proposed modes have shown. Therefore, it appears natural to ask for such designs. While security is fundamental for cryptographic primitives, performance is of similar relevance. Since 2009, processor-integrated instructions have allowed high throughput for the AES round function, which already motivated various constructions based on it. Moreover, the four-fold vectorization of the AES instruction sets in Intel\u27s Ice Lake architecture is yet another leap in terms of performance and gives rise to exploit the AES round function for even more efficient designs. This work tries to combine all aspects above into a primitive and to build upon years of existing analysis on its components. We propose Pholkos, a family of (1) highly efficient, (2) highly secure, and (3) tweakable block ciphers. Pholkos is no novel round-function design, but utilizes the AES round function, following design ideas of Haraka and AESQ to profit from earlier analysis results. It extends them to build a family of primitives with state and key sizes of $256$ and $512$ bits for flexible applications, providing high security at high performance. Moreover, we propose its usage with a $128$-bit tweak to instantiate high-security encryption and authentication schemes such as SCT, ThetaCB3, or ZAE. We study its resistance against the common attack vectors, including differential, linear, and integral distinguishers using a MILP-based approach and show an isomorphism from the AES to Pholkos-$512$ for bounding impossible-differential, or exchange distinguishers from the AES. Our proposals encrypt at around $1$--$2$ cycles per byte on Skylake processors, while supporting a much more general application range and considerably higher security guarantees than comparable primitives and modes such as PAEQ/AESQ, AEGIS, Tiaoxin346, or Simpira