KLEIN: A New Family of Lightweight Block Ciphers

Resource-efficient cryptographic primitives become fundamental for realizing both security and efficiency in embedded systems like RFID tags and sensor nodes. Among those primitives, lightweight block cipher plays a major role as a building block for security protocols. In this paper, we describe a new family of lightweight block ciphers named KLEIN, which is designed for resource-constrained devices such as wireless sensors and RFID tags. Compared to the related proposals, KLEIN has advantage in the software performance on legacy sensor platforms, while in the same time its hardware implementation can also be compact

Методика обоснования стойкости немарковских симметричных блочных шифров к дифференциальному криптоанализу

Задача доказової стійкості схеми Фейстеля до диференціального аналізу була поставлена та розв’язана Ніберг та Кнудсеном; ними була виведена теоретична верхня межа імовірності існування диференціалів шифру, виражена через відповідні імовірності раундових функцій. Цей параметр дозволяє оцінити знизу складність проведення диференціальної атаки на довільний шифр, побудований на основі схеми Фейстеля. В немарковських схем. В даній роботі пропонується загальна методика побудови аналітичної оцінки верхньої межі імовірності існування диференціалів через параметри раундових функцій. Ця методика базується на принципах, які використовувались при доведенні результатів попередніх дослідників, однак вона дозволяє оцінювати немарковські шифри та будувати аналітичні оцінки автоматично, що виявляється корисним для оцінки стійкості складних схем шифрування, для яких традиційний математичний підхід вимагав би дослідження великої кількості різних випадків. Суть методики полягає у розгляданні можливих шляхів тривіалізації раундових диференціалів шифру та розбитті множини диференціальних характеристик на класи відповідно до шляху тривіалізації. Кількість таких класів є порівняно невеликою, тому вони можуть бути швидко перебрані; для кожного класу будується верхня межа диференціальної імовірності, з яких потім обирається максимальне значення. Наводяться результати аналізу та оцінки стійкості низки узагальнених схем Фейстеля: Skipjack-подібної, CAST-подібних та узагальненої MISTY-подібної схем.Nyberg and Knudsen formulated and solved a problem of provable security of Feistel network against differential analysis. They derived analytical upper bound of cipher differential probabilities expressed in terms of corresponding round function probabilities. Such parameter gives minimal complexity of differential attack over any cipher based on Feistel network. Further, similar results was obtained for many Markov ciphers and some non-Markov schemes. We propose a procedure of constructing an analytical estimation of differential probabilities’ upper bound in terms of round functions parameters. This procedure is based on principles used in previous researches, but it allows to evaluate security of non-Markov ciphers and to build estimations automatically. The last is useful in studying of complex ciphers, for which traditional techniques would require a huge number of cases to analyze. Essence of procedure is to consider all possible ways of round differential trivialization and to partition a set of differential characteristics according to trivialization ways. The number of parts is relatively small so that they can be quickly enumerated. The upper bound of differential probability is estimated for each such part, and the maximum is the cipher’s total upper bound. We also present the results of analysis and estimations of provable security against differential analysis for some generalized Feistel networks: Skipjack-like ciphers, two variants of CAST-like ciphers and generalized MISTY-like ciphers.Задача доказательной стойкости схемы Фейстеля к дифференциальному анализу была поставлена и решена Ниберг и Кнудсеном; ними была выведена теоретическая верхняя граница вероятности существования дифференциалов шифра, выраженная через соответствующие вероятности раундовых функций. Этот параметр позволяет оценить снизу сложность проведения дифференциальной атаки на произвольный шифр, построенный на основе схемы Фейстеля. В дальнейшем подобные результаты были получены для многих других марковских шифров и некоторых немарковских схем. В данной работе предлагается методика построения аналитической оценки верхней границы вероятности существования дифференциалов через параметры раундовых функций. Эта методика базируется на принципах, которые использовались при доказательстве результатов предыдущих исследователей, однако она позволяет оценивать немарковские шифры и строить аналитические оценки автоматически, что оказывается полезным при оценке стойкости сложных схем шифрования, в которых традиционный математический подход требовал бы исследования огромного количества разных случаев. Суть методики состоит в рассмотрении возможных путей тривиализации раундовых дифференциалов шифра и разбиении множества дифференциальных характеристик на классы в соответствии с путём тривиализации. Количество таких классов сравнительно невелико, поэтому они могут быть быстро перебраны; для каждого класса строятся верхние границы дифференциальных вероятностей, из которых потом выбирается максимальное значение. Приводятся результаты анализа и оценки стойкости некоторых обобщённых схем Фейстеля: Skipjack-подобной, CAST-подобных и обобщённой MISTY-подобной схем

Differential Cryptanalysis of Round-Reduced Sparx-64/128

Sparx is a family of ARX-based block ciphers designed according to the long-trail strategy (LTS) that were both introduced by Dinu et al. at ASIACRYPT'16. Similar to the wide-trail strategy, the LTS allows provable upper bounds on the length of differential characteristics and linear paths. Thus, the cipher is a highly interesting target for third-party cryptanalysis. However, the only third-party cryptanalysis on Sparx-64/128 to date was given by Abdelkhalek et al. at AFRICACRYPT'17 who proposed impossible-differential attacks on 15 and 16 (out of 24) rounds. In this paper, we present chosen-ciphertext differential attacks on 16 rounds of Sparx-64/128. First, we show a truncated-differential analysis that requires 232232 chosen ciphertexts and approximately 293293 encryptions. Second, we illustrate the effectiveness of boomerangs on Sparx by a rectangle attack that requires approximately 259.6259.6 chosen ciphertexts and about 2122.22122.2 encryption equivalents. Finally, we also considered a yoyo attack on 16 rounds that, however, requires the full codebook and approximately 21262126 encryption equivalents

Improvements for Finding Impossible Differentials of Block Cipher Structures

We improve Wu and Wang’s method for finding impossible differentials of block cipher structures. This improvement is more general than Wu and Wang’s method where it can find more impossible differentials with less time. We apply it on Gen-CAST256, Misty, Gen-Skipjack, Four-Cell, Gen-MARS, SMS4, MIBS, Camellia⁎, LBlock, E2, and SNAKE block ciphers. All impossible differentials discovered by the algorithm are the same as Wu’s method. Besides, for the 8-round MIBS block cipher, we find 4 new impossible differentials, which are not listed in Wu and Wang’s results. The experiment results show that the improved algorithm can not only find more impossible differentials, but also largely reduce the search time

Symmetric block ciphers with a block length of 32 bit

Subject of the thesis at hand is the analysis of symmetric block ciphers with a block length of 32 bit. It is meant to give a comprising overview over the topic of 32 bit block ciphers. The topic is divided in the examination of three questions. It contains a list of state of the art block ciphers with a block length of 32 bit. The block ciphers are being described, focussing on the encryption function. An SPN-based cipher with 32 bit block length is being proposed by rescaling the AES cipher. The 32 bit block length results in certain security issues. These so called risk factors are analysed and mitigating measures are proposed. The result of the thesis is, that 32 bit block ciphers can be implemented in a secure manner. The use of 32 bit ciphers should be limited to specific use-cases and with a profound risk analysis, to determine the protection class of the data to be encrypted

Security Evaluation against Differential Cryptanalysis for Block Cipher Structures

Estimating immunity against differential and linear cryptanalysis is essential in designing secure block ciphers. A practical measure to achieve it is to find the minimal number of active S-boxes, or a lower bound for this minimal number. In this paper, we provide a general algorithm using integer programming, which not only can estimate a good lower bound of the minimal differential active S-boxes for various block cipher structures, but also provides an efficient way to select new structures with good properties against differential cryptanalysis. Experimental results for the Feistel, CAST256, SMS4, CLEFIA and Generalized Feistel structures indicate that bounds obtained by our algorithm are the tightest except for a few rounds of the SMS4 structure. Then, for the first time, bounds of the differential active S-boxes number for the MISTY1, Skipjack, MARS and Four-cell structures are illustrated with the application of our algorithm. Finally, our algorithm is used to find four new structures with good properties against differential cryptanalysis. Security evaluation against liner cryptanalysis can be processed with our algorithm similarly by considering dual structures

Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis

As two important cryptanalytic methods, impossible differential cryptanalysis and integral cryptanalysis have attracted much attention in recent years. Although relations among other important cryptanalytic approaches have been investigated, the link between these two methods has been missing. The motivation in this paper is to fix this gap and establish links between impossible differential cryptanalysis and integral cryptanalysis. Firstly, by introducing the concept of structure and dual structure, we prove that $a\rightarrow b$ is an impossible differential of a structure $\mathcal E$ if and only if it is a zero correlation linear hull of the dual structure $\mathcal E^\bot$. More specifically, constructing a zero correlation linear hull of a Feistel structure with $SP$-type round function where $P$ is invertible, is equivalent to constructing an impossible differential of the same structure with $P^T$ instead of $P$. Constructing a zero correlation linear hull of an SPN structure is equivalent to constructing an impossible differential of the same structure with $(P^{-1})^T$ instead of $P$. Meanwhile, our proof shows that the automatic search tool presented by Wu and Wang could find all impossible differentials of both Feistel structures with $SP$-type round functions and SPN structures, which is useful in provable security of block ciphers against impossible differential cryptanalysis. Secondly, by establishing some boolean equations, we show that a zero correlation linear hull always indicates the existence of an integral distinguisher while a special integral implies the existence of a zero correlation linear hull. With this observation we improve the integral distinguishers of Feistel structures by $1$ round, build a $24$-round integral distinguisher of CAST-$256$ based on which we propose the best known key recovery attack on reduced round CAST-$256$ in the non-weak key model, present a $12$-round integral distinguisher of SMS4 and an $8$-round integral distinguisher of Camellia without $FL/FL^{-1}$. Moreover, this result provides a novel way for establishing integral distinguishers and converting known plaintext attacks to chosen plaintext attacks. Finally, we conclude that an $r$-round impossible differential of $\mathcal E$ always leads to an $r$-round integral distinguisher of the dual structure $\mathcal E^\bot$. In the case that $\mathcal E$ and $\mathcal E^\bot$ are linearly equivalent, we derive a direct link between impossible differentials and integral distinguishers of $\mathcal E$. Specifically, we obtain that an $r$-round impossible differential of an SPN structure, which adopts a bit permutation as its linear layer, always indicates the existence of an $r$-round integral distinguisher. Based on this newly established link, we deduce that impossible differentials of SNAKE(2), PRESENT, PRINCE and ARIA, which are independent of the choices of the $S$-boxes, always imply the existence of integral distinguishers. Our results could help to classify different cryptanalytic tools. Furthermore, when designing a block cipher, the designers need to demonstrate that the cipher has sufficient security margins against important cryptanalytic approaches, which is a very tough task since there have been so many cryptanalytic tools up to now. Our results certainly facilitate this security evaluation process

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms

In this thesis, I present the research I did with my co-authors on several aspects of symmetric cryptography from May 2013 to December 2016, that is, when I was a PhD student at the university of Luxembourg under the supervision of Alex Biryukov. My research has spanned three different areas of symmetric cryptography. In Part I of this thesis, I present my work on lightweight cryptography. This field of study investigates the cryptographic algorithms that are suitable for very constrained devices with little computing power such as RFID tags and small embedded processors such as those used in sensor networks. Many such algorithms have been proposed recently, as evidenced by the survey I co-authored on this topic. I present this survey along with attacks against three of those algorithms, namely GLUON, PRINCE and TWINE. I also introduce a new lightweight block cipher called SPARX which was designed using a new method to justify its security: the Long Trail Strategy. Part II is devoted to S-Box reverse-engineering, a field of study investigating the methods recovering the hidden structure or the design criteria used to build an S-Box. I co-invented several such methods: a statistical analysis of the differential and linear properties which was applied successfully to the S-Box of the NSA block cipher Skipjack, a structural attack against Feistel networks called the yoyo game and the TU-decomposition. This last technique allowed us to decompose the S-Box of the last Russian standard block cipher and hash function as well as the only known solution to the APN problem, a long-standing open question in mathematics. Finally, Part III presents a unifying view of several fields of symmetric cryptography by interpreting them as purposefully hard. Indeed, several cryptographic algorithms are designed so as to maximize the code size, RAM consumption or time taken by their implementations. By providing a unique framework describing all such design goals, we could design modes of operations for building any symmetric primitive with any form of hardness by combining secure cryptographic building blocks with simple functions with the desired form of hardness called plugs. Alex Biryukov and I also showed that it is possible to build plugs with an asymmetric hardness whereby the knowledge of a secret key allows the privileged user to bypass the hardness of the primitive