Searching for Subspace Trails and Truncated Differentials

Grassi et al. [Gra+16] introduced subspace trail cryptanalysis as a generalization of invariant subspaces and used it to give the first five round distinguisher for Aes. While it is a generic method, up to now it was only applied to the Aes and Prince. One problem for a broad adoption of the attack is a missing generic analysis algorithm. In this work we provide efficient and generic algorithms that allow to compute the provably best subspace trails for any substitution permutation cipher

Blok şifrelerin olası olmayan diferansiyel kriptanalizi

TÜBİTAK EEEAG Proje01.10.201

Weak-Key Distinguishers for AES

In this paper, we analyze the security of AES in the case in which the whitening key is a weak key. After a systematization of the classes of weak-keys of AES, we perform an extensive analysis of weak-key distinguishers (in the single-key setting) for AES instantiated with the original key-schedule and with the new key-schedule proposed at ToSC/FSE\u2718 (which is faster than the standard key schedule and ensures a higher number of active S-Boxes). As one of the main results, we show that (almost) all the secret-key distinguishers for round-reduced AES currently present in the literature can be set up for a higher number of rounds of AES if the whitening key is a weak-key. Using these results as starting point, we describe a property for 9-round AES-128 and 12-round AES-256 in the chosen-key setting with complexity 264 without requiring related keys. These new chosen-key distinguishers -- set up by exploiting a variant of the multiple-of-8 property introduced at Eurocrypt\u2717 -- improve all the AES chosen-key distinguishers in the single-key setting. The entire analysis has been performed using a new framework that we introduce here -- called weak-key subspace trails , which is obtained by combining invariant subspaces (Crypto\u2711) and subspace trails (FSE\u2717) into a new, more powerful, attack. Weak-key subspace trails are defined by extending the invariant subspace approach to allow for different subspaces in every round, something that so far only the subspace trail approach and a generalization for invariant subspace and invariant set attacks (Asiacrypt\u2718) were able to do. For an easier detection, we also provide an algorithm which finds these weak-key subspace trails

Stochastic Models Forpricing And Hedging Derivatives İn Incomplete Makets: Structure, Calibration, Dynamical Programming, Risk Optimization

THE PURPOSE AND THE RATIONALE (AMAÇ VE GEREKÇE) The common standard pricing methods of financial assets and derivative instruments determine the price as the fair value. The latter is defined as a unique arbitrage free price in a complete market. It is determined as expected value of the corresponding discounted payoff w.r.t. to a unique equivalent martingale measure (EMM). This method essentially relies on the assumption that that the market is complete, such that the buyer price and seller price match exactly each other at the unique arbitrage free price. In practice, when the bid-ask spread is small, the market may be approximately complete, and the fair value pricing and hedging methods may be applied. In an incomplete market the standard fair value pricing method can not be applied. For incomplete markets the bid-ask spread, i.e. the difference between buyer and seller prices, is no longer negligible. In such a situation the market state is no longer characterized by the elementary risk factors related to basic assets, such as stock prices, bond prices and currency prices. The market state will depend on further variables. The calibration of these variables will be essential in order to select the pricing EMM among infinitely many possible arbitrage-free EMMs. This project is aimed to develop the pricing and hedging methods for essentially incomplete markets. Commodity markets are usually incomplete. But also more traditional markets such as the interest and credit markets have turned out to be incomplete during the recent financial crisis. The development of consistent methods and algorithms for pricing and hedging of the assets and financial instruments of these incomplete markets is therefore a high priority task. The technical framework for incomplete market pricing and hedging distinguishes essentially 3 different settings: - sub/super hedging and pricing - utility based hedging and pricing - risk measure based hedging and pricing THE KNOWLEDGE AND/OR THE TECHNOLOGY THAT WILL BE PRODUCED AT THE END OF THE PROJECT A coherent theoretical framework for pricing and hedging of derivatives in incomplete markets will be developed during the project. A conceptual clarification of the requirements on pricing, hedging, and model calibration will result from this project. Furthermore the relation to risk measures and risk premiums will be clarified. The project sets the foundation for practically applicable algorithms for pricing of derivatives in commodity markets, and for an incomplete credit- related interest market

Analysis of Ascon, DryGASCON, and Shamash Permutations

Ascon, DryGASCON, and Shamash are submissions to NIST\u27s lightweight cryptography standardization process and have similar designs. We analyze these algorithms against subspace trails, truncated differentials, and differential-linear distinguishers. We provide probability one 4-round subspace trails for DryGASCON-256, 3-round subspace trails for \DryGASCON-128, and 2-round subspace trails for \Shamash permutations. Moreover, we provide the first 3.5-round truncated differential and 5-round differential-linear distinguisher for DryGASCON-128. Finally, we improve the data and time complexity of the 4 and 5-round differential-linear attacks on Ascon

Improbable differential attacks on PRESENT using undisturbed bits

In this study, we introduce a new criteria for evaluating S-boxes and attack PRESENT by exploiting its S-box. Depending on the design of an S-box, when a specific difference is given as the input (resp. output) of the S-box, the difference of at least one of the output (resp. input) bits of the S-box may be guessed with probability 1. We call such bits undisturbed and they are helpful for constructing longer or better truncated, impossible or improbable differentials. Without using undisturbed bits, the longest improbable differential attack we could find for PRESENT had a length of 7-rounds. However, we show that PRESENT'S S-box has 6 undisturbed bits and by using them, we can construct 10-round improbable differentials and attack PRESENT reduced to 13 rounds. Hence, undisturbed bits should be avoided by S-box designers

Olası olmayan diferansiyel kriptanaliz.

We present a new statistical cryptanalytic technique that we call improbable differential cryptanalysis which uses a differential that is less probable when the correct key is used. We provide data complexity estimates for this kind of attacks and we also show a method to expand impossible differentials to improbable differentials. By using this expansion method, we cryptanalyze 13, 14, and 15-round \textsc{Clefia} for the key sizes of length 128, 192, and 256 bits, respectively. These are the best cryptanalytic results on \textsc{Clefia} up to this date. We introduce a new criteria for evaluating S-boxes that we call undisturbed bits and attack \textsc{Present} and \textsc{Serpent} by exploiting their S-boxes. Without using undisturbed bits, the longest improbable differential attack we could find for \textsc{Present} had a length of 7-rounds. However, we show that \textsc{Present} has 6 undisturbed bits and by using them, we can construct 10-round improbable differentials and attack \textsc{Present} reduced to 13 rounds. Similarly, without using undisturbed bits, the longest impossible differential we could find on \textsc{Serpent} had a length of 3.5 rounds. However, we obtained four 5.5-round impossible differentials on \textsc{Serpent} and provided a 7-round improbable differential attack. Hence, undisturbed bits should be avoided by S-box designers. Moreover, we provide a second S-box property that we call differential factors. A key recovery attack may not capture the whole subkey corresponding to a S-box with a differential factor. This helps the attacker to guess less subkey bits and reduce the time complexity of the attack. By using differential factors, we show that 10, 11, and 12-round differential-linear attacks of Dunkelman et al. on \textsc{Serpent} can actually be performed with time complexities reduced by a factor of 4, 4, and 8, respectively. Furthermore, we slightly reduce the data complexity of these attacks by changing the differential with a more probable one but end up with an attack with higher time complexity.Ph.D. - Doctoral Progra

Döngü sayısı azaltılmış HIGHT blok şifresinin imkansız diferansiyel kriptanalizi.

Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive. In this respect, several lightweight block ciphers are designed, of which HIGHT is proposed by Hong et al. at CHES 2006 as a constrained hardware oriented block cipher. HIGHT is shown to be highly convenient for extremely constrained devices such as RFID tags and sensor networks and it became a standard encryption algorithm in South Korea. Impossible differential cryptanalysis is a technique discovered by Biham et al. and is applied to many block ciphers including Skipjack, IDEA, Khufu, Khafre, HIGHT, AES, Serpent, CRYPTON, Twofish, TEA, XTEA and ARIA. The security of HIGHT against impossible differential attacks is investigated both by Hong et al. and Lu: An 18-round impossible differential attack is given in the proposal of HIGHT and Lu improved this result by giving a 25-round impossible differential attack. Moreover, Lu found a 28-round related-key impossible differential attack which is the best known attack on HIGHT. In related-key attacks, the attacker is assumed to know the relation between the keys but not the keys themselves. In this study, we further analyzed the resistance of HIGHT against impossible differential attacks by mounting a new 26-round impossible differential attack and a new 31-round related-key impossible differential attack. Although our results are theoretical in nature, they show new results in HIGHT and reduce its security margin further.M.S. - Master of Scienc