Розпізнавачі "Калина"-подібних шифрів на основі їх алгебраїчних та структурних властивостей

Кваліфікаційна робота містить: 56 стор., 13 рисунків, 2 таблиці, 4 джерела. У роботі було побудовано розпізнавачі за методом аналізу ланцюгових перетворень та проаналізовано стійкість Калина-подібних шифрів до криптоаналізу за методом ланцюгових перетворень. Об’єктом дослідження є інформаційні процеси в системах криптографічного захисту. Предметом дослідження є моделі та методи криптоаналізу ланцюгів перетворень підпросторів. У роботі було побудовано розпізнавачі за методомо ланцюгових перетворень і методом нульової різниці для 5-раундових Калина-подібних шифрів. Також за методом неможливого інтеграла було побудовано 3-раундові розпізнавачі Калина-подібних шифрів.Qualification work contains: 56 pages, 13 figures, 2 tables, 4 sources. In the work we built distinguishers based on subspace trail cryptanalysis for «Kalyna»-like cyphers. Also complexity of building such distinguishers was analyzed. The object of research is information processes in cryptographic protection systems. The subject of research is models and methods of subspace trail cryptanalysis. In the work, distinguishers were constructed with the method of subspace trail cryptanalysis and the zero-difference method for 5-round «Kalyna»-like ciphers. Also 3-round Kalina-like cypher distinguishers were constructed with impossible mixture integral method

Practical Low Data-Complexity Subspace-Trail Cryptanalysis of Round-Reduced PRINCE

Subspace trail cryptanalysis is a very recent new cryptanalysis technique, and includes differential, truncated differential, impossible differential, and integral attacks as special cases. In this paper, we consider PRINCE, a widely analyzed block cipher proposed in 2012. After the identification of a 2.5 rounds subspace trail of PRINCE, we present several (truncated differential) attacks up to 6 rounds of PRINCE. This includes a very practical attack with the lowest data complexity of only 8 plaintexts for 4 rounds, which co-won the final round of the PRINCE challenge in the 4-round chosen-plaintext category. The attacks have been verified using a C implementation. Of independent interest, we consider a variant of PRINCE in which ShiftRows and MixLayer operations are exchanged in position. In particular, our result shows that the position of ShiftRows and MixLayer operations influences the security of PRINCE. The same analysis applies to follow-up designs inspired by PRINCE

Searching for Subspace Trails and Truncated Differentials

Grassi et al. [Gra+16] introduced subspace trail cryptanalysis as a generalization of invariant subspaces and used it to give the first five round distinguisher for Aes. While it is a generic method, up to now it was only applied to the Aes and Prince. One problem for a broad adoption of the attack is a missing generic analysis algorithm. In this work we provide efficient and generic algorithms that allow to compute the provably best subspace trails for any substitution permutation cipher

Zero-Sum Partitions of PHOTON Permutations

We describe an approach to zero-sum partitions using Todo’s division property at EUROCRYPT 2015. It follows the inside-out methodology, and includes MILP-assisted search for the forward and backward trails, and subspace approach to connect those two trails that is less restrictive than commonly done. As an application we choose PHOTON, a family of sponge-like hash function proposals that was recently standardized by ISO. With respect to the security claims made by the designers, we for the first time show zero-sum partitions for almost all of those full 12-round permutation variants that use a 4-bit S-Box. As with essentially any other zero-sum property in the literature, also here the gap between a generic attack and the shortcut is small

A General Proof Framework for Recent AES Distinguishers

In this paper, a new framework is developed for proving and adapting the recently proposed multiple-of-8 property and mixture-differential distinguishers. The above properties are formulated as immediate consequences of an equivalence relation on the input pairs, under which the difference at the output of the round function is invariant. This approach provides a further understanding of these newly developed distinguishers. For example, it clearly shows that the branch number of the linear layer does not influence the validity of the property, on the contrary of what was previously believed. We further provide an extension of the mixture-differential distinguishers and multiple-of-8 property to any SPN and to a larger class of subspaces. These adapted properties can then be exhibited in a systematic way for other ciphers than the AES. We illustrate this with the examples of Midori, Klein, LED and Skinny

Overview of attacks on AES-128: to the 15th anniversary of AES

Представлен обзор работ, опубликованных до 2016 г. и посвящённых криптоанализу алгоритма AES-128 (Advanced Encryption Standard). Перечислены основные криптографические методы, используемые при анализе AES. Приведены сложностные характеристики 88 атак на редуцированные варианты алгоритма AES-128. Указано необходимое для проведения атак количество известных пар шифрованных и открытых текстов с условиями на них. В поле зрения не попали атаки по побочным каналам и атаки с ограничением на используемые ключи

Revisiting The Multiple of Property for SKINNY The Exact Computation of the number of right pairs

At EUROCRYPT 2017, Grassi et al. proposed the multiple-of-8 property for 5-round AES, where the number $n$ of right pairs is a multiple of 8. At ToSC 2019, Boura et al. generalized the multiple-of property for a general SPN block cipher and applied it to block cipher SKINNY. In this paper, we present that $n$ is not only a multiple but also a fixed value for SKINNY. Unlike the previous proof of generalization of multiple-of property using equivalence class, we investigate the propagation of the set to compute the exact number $n$. We experimentally verified that presented property holds. We extend this property one round more using the lack of the whitening key on the SKINNY and use this property to construct 6-round distinguisher on SKINNY-64 and SKINNY-128. The probability of success of both distinguisher is almost 1 and the total complexities are $2^{16}$ and $2^{32}$ respectively. We verified that this property only holds for SKINNY, not for AES and MIDORI, and provide the conditions under which it exists for AES-like ciphers

Аналiз ланцюгiв пiдпросторiв «Калина»-подiбних шифрiв

У данiй роботi розглянуто та наведено приклади ланцюгiв пiдпросторiв для одного, двох, трьох та чатирьох раундiв для «Калина»-подiбних шифрiв. Вперше було розглянуто властивостi п’ятого раунду «Калина»-подiбних шифрiв, що дозволяє побудувати атаку вiдновлення раундового ключа, для 6го раунду

The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes

This paper introduces QARMA, a new family of lightweight tweakable block ciphers targeted at applications such as memory encryption, the generation of very short tags for hardware-assisted prevention of software exploitation, and the construction of keyed hash functions. QARMA is inspired by reflection ciphers such as PRINCE, to which it adds a tweaking input, and MANTIS. However, QARMA differs from previous reflector constructions in that it is a three-round Even-Mansour scheme instead of a FX-construction, and its middle permutation is non-involutory and keyed. We introduce and analyse a family of Almost MDS matrices defined over a ring with zero divisors that allows us to encode rotations in its operation while maintaining the minimal latency associated to {0, 1}-matrices. The purpose of all these design choices is to harden the cipher against various classes of attacks. We also describe new S-Box search heuristics aimed at minimising the critical path. QARMA exists in 64- and 128-bit block sizes, where block and tweak size are equal, and keys are twice as long as the blocks. We argue that QARMA provides sufficient security margins within the constraints determined by the mentioned applications, while still achieving best-in-class latency. Implementation results on a state-of-the art manufacturing process are reported. Finally, we propose a technique to extend the length of the tweak by using, for instance, a universal hash function, which can also be used to strengthen the security of QARMA