Cryptanalysis of Some AES-based Cryptographic Primitives

Current information security systems rely heavily on symmetric key cryptographic primitives as one of their basic building blocks. In order to boost the efficiency of the security systems, designers of the underlying primitives often tend to avoid the use of provably secure designs. In fact, they adopt ad hoc designs with claimed security assumptions in the hope that they resist known cryptanalytic attacks. Accordingly, the security evaluation of such primitives continually remains an open field. In this thesis, we analyze the security of two cryptographic hash functions and one block cipher. We primarily focus on the recent AES-based designs used in the new Russian Federation cryptographic hashing and encryption suite GOST because the majority of our work was carried out during the open research competition run by the Russian standardization body TC26 for the analysis of their new cryptographic hash function Streebog. Although, there exist security proofs for the resistance of AES- based primitives against standard differential and linear attacks, other cryptanalytic techniques such as integral, rebound, and meet-in-the-middle attacks have proven to be effective. The results presented in this thesis can be summarized as follows: Initially, we analyze various security aspects of the Russian cryptographic hash function GOST R 34.11-2012, also known as Streebog or Stribog. In particular, our work investigates five security aspects of Streebog. Firstly, we present a collision analysis of the compression function and its in- ternal cipher in the form of a series of modified rebound attacks. Secondly, we propose an integral distinguisher for the 7- and 8-round compression function. Thirdly, we investigate the one wayness of Streebog with respect to two approaches of the meet-in-the-middle attack, where we present a preimage analysis of the compression function and combine the results with a multicollision attack to generate a preimage of the hash function output. Fourthly, we investigate Streebog in the context of malicious hashing and by utilizing a carefully tailored differential path, we present a backdoored version of the hash function where collisions can be generated with practical complexity. Lastly, we propose a fault analysis attack which retrieves the inputs of the compression function and utilize it to recover the secret key when Streebog is used in the keyed simple prefix and secret-IV MACs, HMAC, or NMAC. All the presented results are on reduced round variants of the function except for our analysis of the malicious version of Streebog and our fault analysis attack where both attacks cover the full round hash function. Next, we examine the preimage resistance of the AES-based Maelstrom-0 hash function which is designed to be a lightweight alternative to the ISO standardized hash function Whirlpool. One of the distinguishing features of the Maelstrom-0 design is the proposal of a new chaining construction called 3CM which is based on the 3C/3C+ family. In our analysis, we employ a 4-stage approach that uses a modified technique to defeat the 3CM chaining construction and generates preimages of the 6-round reduced Maelstrom-0 hash function. Finally, we provide a key recovery attack on the new Russian encryption standard GOST R 34.12- 2015, also known as Kuznyechik. Although Kuznyechik adopts an AES-based design, it exhibits a faster diffusion rate as it employs an optimal diffusion transformation. In our analysis, we propose a meet-in-the-middle attack using the idea of efficient differential enumeration where we construct a three round distinguisher and consequently are able to recover 16-bytes of the master key of the reduced 5-round cipher. We also present partial sequence matching, by which we generate, store, and match parts of the compared parameters while maintaining negligible probability of matching error, thus the overall online time complexity of the attack is reduced

Keyed Streebog is a secure PRF and MAC

One of the most popular ways to turn a keyless hash function into a keyed one is the HMAC algorithm. This approach is too expensive in some cases due to double hashing. Excessive overhead can sometimes be avoided by using certain features of the hash function itself. The paper presents a simple and safe way to create a keyed cryptoalgorithm (conventionally called Streebog-K ) from hash function Streebog $\mathsf{H}(M)$. Let $K$ be a secret key, then $\mathsf{KH}(K,M)=\mathsf{H}(K||M)$ is a secure pseudorandom function (PRF) and, therefore, a good message authentification code (MAC). The proof is obtained by reduction of the security of the presented construction to the resistance of the underlying compression function to the related key attacks (PRF-RKA). The security bounds of Streebog-K are essentially the same as those of HMAC-Streebog, but the computing speed doubles when short messages are used

Cryptanalysis of Some Block Cipher Constructions

When the public-key cryptography was introduced in the 1970s, symmetric-key cryptography was believed to soon become outdated. Nevertheless, we still heavily rely on symmetric-key primitives as they give high-speed performance. They are used to secure mobile communication, e-commerce transactions, communication through virtual private networks and sending electronic tax returns, among many other everyday activities. However, the security of symmetric-key primitives does not depend on a well-known hard mathematical problem such as the factoring problem, which is the basis of the RSA public-key cryptosystem. Instead, the security of symmetric-key primitives is evaluated against known cryptanalytic techniques. Accordingly, the topic of furthering the state-of-the-art of cryptanalysis of symmetric-key primitives is an ever-evolving topic. Therefore, this thesis is dedicated to the cryptanalysis of symmetric-key cryptographic primitives. Our focus is on block ciphers as well as hash functions that are built using block ciphers. Our contributions can be summarized as follows: First, we tackle the limitation of the current Mixed Integer Linear Programming (MILP) approaches to represent the differential propagation through large S-boxes. Indeed, we present a novel approach that can efficiently model the Difference Distribution Table (DDT) of large S-boxes, i.e., 8-bit S-boxes. As a proof of the validity and efficiency of our approach, we apply it on two out of the seven AES-round based constructions that were recently proposed in FSE 2016. Using our approach, we improve the lower bound on the number of active S-boxes of one construction and the upper bound on the best differential characteristic of the other. Then, we propose meet-in-the-middle attacks using the idea of efficient differential enumeration against two Japanese block ciphers, i.e., Hierocrypt-L1 and Hierocrypt-3. Both block ciphers were submitted to the New European Schemes for Signatures, Integrity, and Encryption (NESSIE) project, selected as one of the Japanese e-Government recommended ciphers in 2003 and reselected in the candidate recommended ciphers list in 2013. We construct five S-box layer distinguishers that we use to recover the master keys of reduced 8 S-box layer versions of both block ciphers. In addition, we present another meet-in-the-middle attack on Hierocrypt-3 with slightly higher time and memory complexities but with much less data complexity. Afterwards, we shift focus to another equally important cryptanalytic attack, i.e., impossible differential attack. SPARX-64/128 is selected among the SPARX family that was recently proposed to provide ARX based block cipher whose security against differential and linear cryptanalysis can be proven. We assess the security of SPARX-64/128 against impossible differential attack and show that it can reach the same number of rounds the division-based integral attack, proposed by the designers, can reach. Then, we pick Kiasu-BC as an example of a tweakable block cipher and prove that, on contrary to its designers’ claim, the freedom in choosing the publicly known tweak decreases its security margin. Lastly, we study the impossible differential properties of the underlying block cipher of the Russian hash standard Streebog and point out the potential risk in using it as a MAC scheme in the secret-IV mode

Application of Fault Analysis to Some Cryptographic Standards

Cryptanalysis methods can be classified as pure mathematical attacks, such as linear and differential cryptanalysis, and implementation dependent attacks such as power analysis and fault analysis. Pure mathematical attacks exploit the mathematical structure of the cipher to reveal the secret key inside the cipher. On the other hand, implementation dependent attacks assume that the attacker has access to the cryptographic device to launch the attack. Fault analysis is an example of a side channel attack in which the attacker is assumed to be able to induce faults in the cryptographic device and observe the faulty output. Then, the attacker tries to recover the secret key by combining the information obtained from the faulty and the correct outputs. Even though fault analysis attacks may require access to some specialized equipment to be able to insert faults at specific locations or at specific times during the computation, the resulting attacks usually have time and memory complexities which are far more practical as compared to pure mathematical attacks. Recently, several AES-based primitives were approved as new cryptographic standards throughout the world. For example, Kuznyechik was approved as the standard block cipher in Russian Federation, and Kalyna and Kupyna were approved as the standard block cipher and the hash function, respectively, in Ukraine. Given the importance of these three new primitives, in this thesis, we analyze their resistance against fault analysis attacks. Firstly, we modified a differential fault analysis (DFA) attack that was applied on AES and applied it on Kuzneychik. Application of DFA on Kuznyechik was not a trivial task because of the linear transformation layer used in the last round of Kuznyechik. In order to bypass the effect of this linear transformation operation, we had to use an equivalent representation of the last round which allowed us to recover the last two round keys using a total of four faults and break the cipher. Secondly, we modified the attack we applied on Kuzneychik and applied it on Kalyna. Kalyna has a complicated key scheduling and it uses modulo 264 addition operation for applying the first and last round keys. This makes Kalyna more resistant to DFA as com- pared to AES and Kuznyechik but it is still practically breakable because the number of key candidates that can be recovered by DFA can be brute-forced in a reasonable time. We also considered the case where the SBox entries of Kalyna are not known and showed how to recover a set of candidates for the SBox entries. Lastly, we applied two fault analysis attacks on Kupyna hash function. In the first case, we assumed that the SBoxes and all the other function parameters are known, and in the second case we assumed that the SBoxes were kept secret and attacked the hash function accordingly. Kupyna can be used as the underlying hash function for the construction of MAC schemes such as secret IV, secret prefix, HMAC or NMAC. In our analysis, we showed that secret inputs of Kupyna can be recovered using fault analysis. To conclude, we analyzed two newly accepted standard ciphers (Kuznyechik, Kalyna) and one newly approved standard hash function (Kupyna) for their resistance against fault attacks. We also analyzed Kalyna and Kupyna with the assumption that these ciphers can be deployed with secret user defined SBoxes in order to increase their security

Robustness of Affine and Extended Affine Equivalent Surjective S-Box(es) against Differential Cryptanalysis

A Feistel Network (FN) based block cipher relies on a Substitution Box (S-Box) for achieving the non-linearity. S-Box is carefully designed to achieve optimal cryptographic security bounds. The research of the last three decades shows that considerable efforts are being made on the mathematical design of an S-Box. To import the exact cryptographic profile of an S-Box, the designer focuses on the Affine Equivalent (AE) or Extended Affine (EA) equivalent S-Box. In this research, we argue that the Robustness of surjective mappings is invariant under AE and not invariant under EA transformation. It is proved that the EA equivalent of a surjective mapping does not necessarily contribute to the Robustness against the Differential Cryptanalysis (DC) in the light of Seberry\u27s criteria. The generated EA equivalent S-Box(es) of DES and other $6 \times 4$ mappings do not show a good robustness profile compared to the original mappings. This article concludes that a careful selection of affine permutation parameters is significant during the design phase to achieve high Robustness against DC and Differential Power Analysis (DPA) attacks

Heuristic algorithm for obtaining permutations with given cryptographic properties using a generalized construction

Исследована возможность построения с помощью обобщённой конструкции подстановок с заданными криптографическими характеристиками, обеспечивающими стойкость алгоритмов шифрования к линейному и разностному методам криптоанализа. Предложен эвристический алгоритм поиска параметров обобщённой конструкции, полученных посредством умножения на транспозиции. Исполь-зуются идеи генетического алгоритма, спектрально-линейного и спектрально-разностного методов. Изучены вопросы оптимизации вычисления криптографических характеристик на каждой итерации алгоритма. Экспериментальные исследования наиболее интересных с практической точки зрения 8-битовых подстановок показали, что можно построить 6-равномерные подстановки с нелинейностью 108

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms

In this thesis, I present the research I did with my co-authors on several aspects of symmetric cryptography from May 2013 to December 2016, that is, when I was a PhD student at the university of Luxembourg under the supervision of Alex Biryukov. My research has spanned three different areas of symmetric cryptography. In Part I of this thesis, I present my work on lightweight cryptography. This field of study investigates the cryptographic algorithms that are suitable for very constrained devices with little computing power such as RFID tags and small embedded processors such as those used in sensor networks. Many such algorithms have been proposed recently, as evidenced by the survey I co-authored on this topic. I present this survey along with attacks against three of those algorithms, namely GLUON, PRINCE and TWINE. I also introduce a new lightweight block cipher called SPARX which was designed using a new method to justify its security: the Long Trail Strategy. Part II is devoted to S-Box reverse-engineering, a field of study investigating the methods recovering the hidden structure or the design criteria used to build an S-Box. I co-invented several such methods: a statistical analysis of the differential and linear properties which was applied successfully to the S-Box of the NSA block cipher Skipjack, a structural attack against Feistel networks called the yoyo game and the TU-decomposition. This last technique allowed us to decompose the S-Box of the last Russian standard block cipher and hash function as well as the only known solution to the APN problem, a long-standing open question in mathematics. Finally, Part III presents a unifying view of several fields of symmetric cryptography by interpreting them as purposefully hard. Indeed, several cryptographic algorithms are designed so as to maximize the code size, RAM consumption or time taken by their implementations. By providing a unique framework describing all such design goals, we could design modes of operations for building any symmetric primitive with any form of hardness by combining secure cryptographic building blocks with simple functions with the desired form of hardness called plugs. Alex Biryukov and I also showed that it is possible to build plugs with an asymmetric hardness whereby the knowledge of a secret key allows the privileged user to bypass the hardness of the primitive

The MALICIOUS Framework: Embedding Backdoors into Tweakable Block Ciphers

Inserting backdoors in encryption algorithms has long seemed like a very interesting, yet difficult problem. Most attempts have been unsuccessful for symmetric-key primitives so far and it remains an open problem how to build such ciphers. In this work, we propose the MALICIOUS framework, a new method to build tweakable block ciphers that have backdoors hidden which allows to retrieve the secret key. Our backdoor is differential in nature: a specific related-tweak differential path with high probability is hidden during the design phase of the cipher. We explain how any entity knowing the backdoor can practically recover the secret key of a user and we also argue why even knowing the presence of the backdoor and the workings of the cipher will not permit to retrieve the backdoor for an external user. We analyze the security of our construction in the classical black-box model and we show that retrieving the backdoor (the hidden high-probability differential path) is very difficult. We instantiate our framework by proposing the LowMC-M construction, a new family of tweakable block ciphers based on instances of the LowMC cipher, which allow such backdoor embedding. Generating LowMC-M instances is trivial and the LowMC-M family has basically the same efficiency as the LowMC instances it is based on

Algebraic Fault Analysis of SHA-3

This paper presents an efficient algebraic fault analysis on all four modes of SHA-3 under relaxed fault models. This is the first work to apply algebraic techniques on fault analysis of SHA-3. Results show that algebraic fault analysis on SHA-3 is very efficient and effective due to the clear algebraic properties of Keccak operations. Comparing with previous work on differential fault analysis of SHA-3, algebraic fault analysis can identify the injected faults with much higher rates, and recover an entire internal state of the penultimate round with much fewer fault injections

Конструиране на булеви функции и цифрови последователности за криптологията и комуникациите

ИМИ-БАН, секция "Математически основи на информатиката", 2023 г., присъждане на образователна и научна степен "доктор" на Мирослав Маринов Димитров в професионално направление информатика и компютърни науки. [Dimitrov Miroslav Marinov; Димитров Мирослав Маринов