Constructions of S-boxes with uniform sharing

In this paper we focus on S-box constructions. We consider the uniformity property of an S-box which plays an important role in Threshold Implementations (TI). Most papers so far have studied TI sharings for given S-boxes. We proceed in the opposite way: starting from $n$-bit S-boxes with known sharings we construct new $(n+1)$-bit S-boxes from them with the desired sharings. In addition, we investigate the self-equivalency of S-boxes and show some interesting properties

SPONGENT: The Design Space of Lightweight Cryptographic Hashing

The design of secure yet efficiently implementable cryptographic algorithms is a fundamental problem of cryptography. Lately, lightweight cryptography - optimizing the algorithms to fit the most constrained environments - has received a great deal of attention, the recent research being mainly focused on building block ciphers. As opposed to that, the design of lightweight hash functions is still far from being well-investigated with only few proposals in the public domain. In this article, we aim to address this gap by exploring the design space of lightweight hash functions based on the sponge construction instantiated with PRESENT-type permutations. The resulting family of hash functions is called SPONGENT. We propose 13 SPONGENT variants -- for different levels of collision and (second) preimage resistance as well as for various implementation constraints. For each of them we provide several ASIC hardware implementations - ranging from the lowest area to the highest throughput. We make efforts to address the fairness of comparison with other designs in the field by providing an exhaustive hardware evaluation on various technologies, including an open core library. We also prove essential differential properties of SPONGENT permutations, give a security analysis in terms of collision and preimage resistance, as well as study in detail dedicated linear distinguishers

Improved cryptanalysis of skein

The hash function Skein is the submission of Ferguson et al. to the NIST Hash Competition, and is arguably a serious candidate for selection as SHA-3. This paper presents the rst third-party analysis of Skein, with an extensive study of its main component: the block cipher Three sh. We notably investigate near collisions, distinguishers, impossible di erentials, key recovery using related-key di erential and boomerang attacks. In particular, we present near collisions on up to 17 rounds, an impossible di erential on 21 rounds, a related-key boomerang distinguisher on 34 rounds, a known-related-key boomerang distinguisher on 35 rounds, and key recovery attacks on up to 32 rounds, out of 72 in total for Threefish-512. None of our attacks directly extends to the full Skein hash. However, the pseudorandomness of Threefish is required to validate the security proofs on Skein, and our results conclude that at least 3

Design and Cryptanalysis of Symmetric Key Algorithms (Ontwerp en cryptanalyse van symmetrische-sleutel algorithms)

This thesis deals with symmetric-key algorithms and more specifically block ciphers and hash functions. The first set of results applies recent cryptanalysis methods (such as boomerang attacks and rebound attacks) to various algorithms. The second topic is the study of the differential probability of AES-like block ciphers for a fixed key. Finally, the design of a new lightweight algorithm is described.Differential cryptanalysis is one of the most powerful cryptanalysis techniques: it has not only been applied successfully to many ciphers and hash functions but new attack techniques are derived from it. We take advantage of the method and use it to analyse the block ciphers Threefish, PRESENT, HIGHT and LED and the hash functions WIDEA and SPONGENT.Our publications on LED and AES deal with the differential probability of AES-like block ciphers for a fixed key. Previously, specialists expected to observe a binomial distribution for a fixed differential when all possible keys are tested. However, it was shown for the AES block cipher that two-round differentials are very structured and the number of right pairs that satisfy the differential can be either a power of two or zero. In this thesis, the previous work is extended from two to four rounds and it is shown that a similar structure can still be observed.This thesis also studies lightweight symmetric-key algorithms. We analyse the security of PRESENT, HIGHT, LED and WIDEA and designed the hash function SPONGENT.nrpages: 190status: publishe

Rebound Attack on Reduced-Round Versions of JH

JH, designed by Wu, is one of the 14 second-round candidates in the NIST Hash Competition. This paper presents the first analysis results of JH by using rebound attack. We first investigate a variant of the JH hash function family for d = 4 and describe how the attack works. Then, we apply the attack for d = 8, which is the version submitted to the competition. As a result, we obtain a semi-free-start collision for 16 rounds (out of 35.5) of JH for all hash sizes with 2179.24compression function calls. We then extend our attack to 19 (and 22) rounds and present a 1008-bit (and 896-bit) semi-free-start near-collision on the JH compression function with 2156.77(2156.56) compression function calls, 2152.28memory access and 2143.70-bytes of memory. © 2010 Springer-Verlag.status: publishe

Forking a Blockcipher for Authenticated Encryption of Very Short Messages

Highly efficient encryption and authentication of short messages has been identified as an essential requirement for enabling security in constrained computation and communication scenarios such as the CAN FD in automotive systems (with maximum message length of 64 bytes), massive IoT and critical communication domains of 5G, and Narrowband IoT (NB-IoT), to mention some. Accordingly, NIST has specified, as a design requirement in the lightweight cryptography project, that AEAD submissions shall be “optimized to be efficient for short messages (e.g., as short as 8 bytes)”. We propose AEAD schemes that exceed in efficiency over all previous general-purpose modular AEAD designs at processing (very) short inputs. The main ingredient in our solution is a new low-level primitive, called a tweakable forkcipher, which we introduce and formalize in this paper. We give an instance of the tweakable forkcipher and dub it ForkAES. It is based on the tweakable blockcipher KIASU, which relies on the round function of AES and uses the TWEAKEY framework to derive round keys from a 128-bit secret key and a 64-bit tweak. Finally, we demonstrate the applicability of a tweakable forkcipher by designing several provably secure nonce-based AEAD modes of operation, optimized to be efficient for short messages. Considering the AES block size (16 bytes) as a reference, our new AE schemes can beat all known schemes for single-block messages while still performing better than majority of the existing schemes for combined message and associated data lengths up to 4 blocks. While ForkAES as a concrete instantiation for a forkcipher is based on KIASU, we note that our solution provides a general recipe for lightweight AEAD for short messages, even for very resource-constrained scenarios in which AES may not be considered a lightweight option. In those environments, our schemes can be instantiated using a forkcipher that is realized based on the best off-the-shelf lightweight blockcipher, following the TWEAKEY framework

Collisions for the WIDEA-8 Compression Function

WIDEA is a family of block ciphers inspired by the IDEA block cipher. The design uses n-parallel instances of IDEA with an improved key schedule to obtain block ciphers with larger block sizes. Moreover, the given design is suggested as the compression function for Davies-Meyer mode. In this paper, we discuss the security of the block cipher when used as a compression function. Inspired by the weak key attacks on IDEA, we take the advantage of slow diffusion mechanism of the key schedule and present free-start collisions for WIDEA-8 which is the specified version by designers. Our results are practical and we are able to obtain free-start collisions with a complexity of 213.53. © 2013 Springer-Verlag.status: publishe

Improving the security and efficiency of block ciphers based on LS-designs

LS-designs are a family of bitslice ciphers aiming at efficient masked implementations against side-channel analysis. This paper discusses their security against invariant subspace attacks, and describes an alternative family of eXtended LS-designs (XLS-designs), that enables additional options to prevent such attacks. LS- and XLS-designs provide a large family of ciphers from which efficient implementations can be obtained, possibly enhanced with countermeasures against physical attacks. We argue that they are interesting primitives in order to discuss the general question of “how simple can block ciphers be?”

Rebound Attack on JH42

The hash function JH [20] is one of the five finalists of the NIST SHA-3 hash competition. It has been recently tweaked for the final by increasing its number of rounds from 35.5 to 42. The previously best known results on JH were semi-free-start near-collisions up to 22 rounds using multi-inbound rebound attacks. In this paper we provide a new differential path on 32 rounds. Using this path, we are able to build various semi-free-start internal-state near-collisions and the maximum number of rounds that we achieved is up to 37 rounds on 986 bits. Moreover, we build distinguishers in the full 42-round internal permutation. These are, to our knowledge, the first results faster than generic attack on the full internal permutation of JH42, the finalist version. These distinguishers also apply to the compression function. © 2011 International Association for Cryptologic Research.status: publishe

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT

Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive. In this respect, several lightweight block ciphers are designed, of which Present and Hight are two recently proposed ones by Bogdanov et al. and Hong et al. respectively. In this paper, we propose new attacks on Present and Hight. Firstly, we present the first related-key cryptanalysis of 128-bit keyed Present by introducing 17-round related-key rectangle attack with time complexity approximately 2104 memory accesses. Moreover, we further analyze the resistance of Hight against impossible differential attacks by mounting new 26-round impossible differential and 31-round related-key impossible differential attacks where the former requires time complexity of 2119.53 reduced round Hight evaluations and the latter is slightly better than exhaustive search. © 2009 Springer Berlin Heidelberg.status: publishe