Survey and Benchmark of Block Ciphers for Wireless Sensor Networks

Cryptographic algorithms play an important role in the security architecture of wireless sensor networks (WSNs). Choosing the most storage- and energy-efficient block cipher is essential, due to the facts that these networks are meant to operate without human intervention for a long period of time with little energy supply, and that available storage is scarce on these sensor nodes. However, to our knowledge, no systematic work has been done in this area so far.We construct an evaluation framework in which we first identify the candidates of block ciphers suitable for WSNs, based on existing literature and authoritative recommendations. For evaluating and assessing these candidates, we not only consider the security properties but also the storage- and energy-efficiency of the candidates. Finally, based on the evaluation results, we select the most suitable ciphers for WSNs, namely Skipjack, MISTY1, and Rijndael, depending on the combination of available memory and required security (energy efficiency being implicit). In terms of operation mode, we recommend Output Feedback Mode for pairwise links but Cipher Block Chaining for group communications

KLEIN: A New Family of Lightweight Block Ciphers

Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has advantage in the software performance on legacy sensor platforms, while in the same time its hardware implementation can also be compact

Методика обоснования стойкости немарковских симметричных блочных шифров к дифференциальному криптоанализу

Задача доказової стійкості схеми Фейстеля до диференціального аналізу була поставлена та розв’язана Ніберг та Кнудсеном; ними була виведена теоретична верхня межа імовірності існування диференціалів шифру, виражена через відповідні імовірності раундових функцій. Цей параметр дозволяє оцінити знизу складність проведення диференціальної атаки на довільний шифр, побудований на основі схеми Фейстеля. В немарковських схем. В даній роботі пропонується загальна методика побудови аналітичної оцінки верхньої межі імовірності існування диференціалів через параметри раундових функцій. Ця методика базується на принципах, які використовувались при доведенні результатів попередніх дослідників, однак вона дозволяє оцінювати немарковські шифри та будувати аналітичні оцінки автоматично, що виявляється корисним для оцінки стійкості складних схем шифрування, для яких традиційний математичний підхід вимагав би дослідження великої кількості різних випадків. Суть методики полягає у розгляданні можливих шляхів тривіалізації раундових диференціалів шифру та розбитті множини диференціальних характеристик на класи відповідно до шляху тривіалізації. Кількість таких класів є порівняно невеликою, тому вони можуть бути швидко перебрані; для кожного класу будується верхня межа диференціальної імовірності, з яких потім обирається максимальне значення. Наводяться результати аналізу та оцінки стійкості низки узагальнених схем Фейстеля: Skipjack-подібної, CAST-подібних та узагальненої MISTY-подібної схем.Nyberg and Knudsen formulated and solved a problem of provable security of Feistel network against differential analysis. They derived analytical upper bound of cipher differential probabilities expressed in terms of corresponding round function probabilities. Such parameter gives minimal complexity of differential attack over any cipher based on Feistel network. Further, similar results was obtained for many Markov ciphers and some non-Markov schemes. We propose a procedure of constructing an analytical estimation of differential probabilities’ upper bound in terms of round functions parameters. This procedure is based on principles used in previous researches, but it allows to evaluate security of non-Markov ciphers and to build estimations automatically. The last is useful in studying of complex ciphers, for which traditional techniques would require a huge number of cases to analyze. Essence of procedure is to consider all possible ways of round differential trivialization and to partition a set of differential characteristics according to trivialization ways. The number of parts is relatively small so that they can be quickly enumerated. The upper bound of differential probability is estimated for each such part, and the maximum is the cipher’s total upper bound. We also present the results of analysis and estimations of provable security against differential analysis for some generalized Feistel networks: Skipjack-like ciphers, two variants of CAST-like ciphers and generalized MISTY-like ciphers.Задача доказательной стойкости схемы Фейстеля к дифференциальному анализу была поставлена и решена Ниберг и Кнудсеном; ними была выведена теоретическая верхняя граница вероятности существования дифференциалов шифра, выраженная через соответствующие вероятности раундовых функций. Этот параметр позволяет оценить снизу сложность проведения дифференциальной атаки на произвольный шифр, построенный на основе схемы Фейстеля. В дальнейшем подобные результаты были получены для многих других марковских шифров и некоторых немарковских схем. В данной работе предлагается методика построения аналитической оценки верхней границы вероятности существования дифференциалов через параметры раундовых функций. Эта методика базируется на принципах, которые использовались при доказательстве результатов предыдущих исследователей, однако она позволяет оценивать немарковские шифры и строить аналитические оценки автоматически, что оказывается полезным при оценке стойкости сложных схем шифрования, в которых традиционный математический подход требовал бы исследования огромного количества разных случаев. Суть методики состоит в рассмотрении возможных путей тривиализации раундовых дифференциалов шифра и разбиении множества дифференциальных характеристик на классы в соответствии с путём тривиализации. Количество таких классов сравнительно невелико, поэтому они могут быть быстро перебраны; для каждого класса строятся верхние границы дифференциальных вероятностей, из которых потом выбирается максимальное значение. Приводятся результаты анализа и оценки стойкости некоторых обобщённых схем Фейстеля: Skipjack-подобной, CAST-подобных и обобщённой MISTY-подобной схем

Improvements for Finding Impossible Differentials of Block Cipher Structures

We improve Wu and Wang’s method for finding impossible differentials of block cipher structures. This improvement is more general than Wu and Wang’s method where it can find more impossible differentials with less time. We apply it on Gen-CAST256, Misty, Gen-Skipjack, Four-Cell, Gen-MARS, SMS4, MIBS, Camellia⁎, LBlock, E2, and SNAKE block ciphers. All impossible differentials discovered by the algorithm are the same as Wu’s method. Besides, for the 8-round MIBS block cipher, we find 4 new impossible differentials, which are not listed in Wu and Wang’s results. The experiment results show that the improved algorithm can not only find more impossible differentials, but also largely reduce the search time

Differential Cryptanalysis of Round-Reduced Sparx-64/128

Sparx is a family of ARX-based block ciphers designed according to the long-trail strategy (LTS) that were both introduced by Dinu et al. at ASIACRYPT'16. Similar to the wide-trail strategy, the LTS allows provable upper bounds on the length of differential characteristics and linear paths. Thus, the cipher is a highly interesting target for third-party cryptanalysis. However, the only third-party cryptanalysis on Sparx-64/128 to date was given by Abdelkhalek et al. at AFRICACRYPT'17 who proposed impossible-differential attacks on 15 and 16 (out of 24) rounds. In this paper, we present chosen-ciphertext differential attacks on 16 rounds of Sparx-64/128. First, we show a truncated-differential analysis that requires 232232 chosen ciphertexts and approximately 293293 encryptions. Second, we illustrate the effectiveness of boomerangs on Sparx by a rectangle attack that requires approximately 259.6259.6 chosen ciphertexts and about 2122.22122.2 encryption equivalents. Finally, we also considered a yoyo attack on 16 rounds that, however, requires the full codebook and approximately 21262126 encryption equivalents

Security Evaluation against Differential Cryptanalysis for Block Cipher Structures

Estimating immunity against differential and linear cryptanalysis is essential in designing secure block ciphers. A practical measure to achieve it is to find the minimal number of active S-boxes, or a lower bound for this minimal number. In this paper, we provide a general algorithm using integer programming, which not only can estimate a good lower bound of the minimal differential active S-boxes for various block cipher structures, but also provides an efficient way to select new structures with good properties against differential cryptanalysis. Experimental results for the Feistel, CAST256, SMS4, CLEFIA and Generalized Feistel structures indicate that bounds obtained by our algorithm are the tightest except for a few rounds of the SMS4 structure. Then, for the first time, bounds of the differential active S-boxes number for the MISTY1, Skipjack, MARS and Four-cell structures are illustrated with the application of our algorithm. Finally, our algorithm is used to find four new structures with good properties against differential cryptanalysis. Security evaluation against liner cryptanalysis can be processed with our algorithm similarly by considering dual structures

Symmetric block ciphers with a block length of 32 bit

Subject of the thesis at hand is the analysis of symmetric block ciphers with a block length of 32 bit. It is meant to give a comprising overview over the topic of 32 bit block ciphers. The topic is divided in the examination of three questions. It contains a list of state of the art block ciphers with a block length of 32 bit. The block ciphers are being described, focussing on the encryption function. An SPN-based cipher with 32 bit block length is being proposed by rescaling the AES cipher. The 32 bit block length results in certain security issues. These so called risk factors are analysed and mitigating measures are proposed. The result of the thesis is, that 32 bit block ciphers can be implemented in a secure manner. The use of 32 bit ciphers should be limited to specific use-cases and with a profound risk analysis, to determine the protection class of the data to be encrypted

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis

Impossible differential and zero correlation linear cryptanalysis are two of the most important cryptanalytic vectors. To characterize the impossible differentials and zero correlation linear hulls which are independent of the choices of the non-linear components, Sun et al. proposed the structure deduced by a block cipher at CRYPTO 2015. Based on that, we concentrate in this paper on the security of the SPN structure and Feistel structure with SP-type round functions. Firstly, we prove that for an SPN structure, if \alpha_1\rightarrow\beta_1 and \alpha_2\rightarrow\beta_ are possible differentials, \alpha_1|\alpha_2\rightarrow\beta_1|\beta_2 is also a possible differential, i.e., the OR | operation preserves differentials. Secondly, we show that for an SPN structure, there exists an r-round impossible differential if and only if there exists an r-round impossible differential \alpha\not\rightarrow\beta where the Hamming weights of both \alpha and \beta are 1. Thus for an SPN structure operating on m bytes, the computation complexity for deciding whether there exists an impossible differential can be reduced from O(2^{2m}) to O(m^2). Thirdly, we associate a primitive index with the linear layers of SPN structures. Based on the matrices theory over integer rings, we prove that the length of impossible differentials of an SPN structure is upper bounded by the primitive index of the linear layers. As a result we show that, unless the details of the S-boxes are considered, there do not exist 5-round impossible differentials for the AES and ARIA. Lastly, based on the links between impossible differential and zero correlation linear hull, we projected these results on impossible differentials to zero correlation linear hulls. It is interesting to note some of our results also apply to the Feistel structures with SP-type round functions

Parallelizing the Camellia and SMS4 Block Ciphers - Extended version

The n-cell GF-NLFSR (Generalized Feistel-NonLinear Feedback Shift Register) structure [8] is a generalized unbalanced Feistel network that can be considered as a generalization of the outer function FO of the KASUMI block cipher. An advantage of this cipher over other n-cell generalized Feistel networks, e.g. SMS4 [11] and Camellia [5], is that it is parallelizable for up to n rounds. In hardware implementations, the benefits translate to speeding up encryption by up to n times while consuming similar area and significantly less power. At the same time n-cell GF-NLFSR structures offer similar proofs of security against differential cryptanalysis as conventional n-cell Feistel structures. We also ensure that parallelized versions of Camellia and SMS4 are resistant against other block cipher attacks such as linear, boomerang, integral, impossible differential, higher order differential,interpolation, slide, XSL and related-key differential attacks

Security Evaluation of MISTY Structure with SPN Round Function

This paper deals with the security of MISTY structure with SPN round function. We study the lower bound of the number of active s-boxes for differential and linear characteristics of such block cipher construction. Previous result shows that the differential bound is consistent with the case of Feistel structure with SPN round function, yet the situation changes when considering the linear bound. We carefully revisit such issue, and prove that the same bound in fact could be obtained for linear characteristic. This result combined with the previous one thus demonstrates a similar practical secure level for both Feistel and MISTY structures. Besides, we also discuss the resistance of MISTY structure with SPN round function against other kinds of cryptanalytic approaches including the integral cryptanalysis and impossible differential cryptanalysis. We confirm the existence of 6-round integral distinguishers when the linear transformation of the round function employs a binary matrix (i.e., the element in the matrix is either 0 or 1), and briefly describe how to characterize 5/6/7-round impossible differentials through the matrix-based method