Probabilistic slide cryptanalysis and its applications to LED-64 and Zorro

Abstract. This paper aims to enhance the application of slide attack which is one of the most well-known cryptanalysis methods using selfsimilarity of a block cipher. The typical countermeasure against slide cryptanalysis is to use round-dependent constants. We present a new probabilistic technique and show how to overcome round-dependent constants in a slide attack against a block cipher based on the general EvenMansour scheme with a single key. Our technique can potentially break more rounds than any previously known cryptanalysis for a specific class of block ciphers. We show employing round constants is not always sufficient to provide security against slide variant cryptanalysis, but also the relation between the round constants should be taken into account. To demonstrate the impact of our model we provide analysis of two roundreduced block ciphers LED-64 and Zorro, presented in CHES 2011 and CHES 2013, respectively. As a first application we recover the key for 16 rounds of Zorro. This result improves the best cryptanalysis presented by the designers which could be applied upto 12 rounds of its 24 rounds. In the case of LED-64 the cryptanalysis leads to the best results on 2-step reduced LED-64 in the known-plaintext model

Efficient Accelerator for NTT-based Polynomial Multiplication

The Number Theoretic Transform (NTT) is used to efficiently execute polynomial multiplication. It has become an important part of lattice-based post-quantum methods and the subsequent generation of standard cryptographic systems. However, implementing post-quantum schemes is challenging since they rely on intricate structures. This paper demonstrates how to develop a high-speed NTT multiplier highly optimized for FPGAs with few logical resources. We describe a novel architecture for NTT that leverages unique precomputation. Our method efficiently maps these specific pre-computed values into the built-in Block RAMs (BRAMs), which greatly reduces the area and time required for implementation when compared to previous works. We have chosen Kyber parameters to implement the proposed architectures. Compared to the most well-known approach for implementing Kyber’s polynomial multiplication using NTT, the time is reduced by 31%, and AT (area × time) is improved by 25% as a result of the pre computation we suggest in this study. It is worth mentioning that we obtained these improvements while our method does not require DSP

Enhanced Flush+Reload Attack on AES

In cloud computing, multiple users can share the same physical machine that can potentially leak secret information, in particular when the memory de-duplication is enabled. Flush+Reload attack is a cache-based attack that makes use of resource sharing. T-table implementation of AES is commonly used in the crypto libraries like OpenSSL. Several Flush+Reload attacks on T-table implementation of AES have been proposed in the literature which requires a notable number of encryptions. In this paper, we present a technique to enhance the Flush+Reload attack on AES in the ciphertext-only scenario by significantly reducing the number of needed encryptions in both native and cross-VM setups. In this paper, we focus on finding the wrong key candidates and keep the right key by considering only the cache miss event. Our attack is faster than previous Flush+Reload attacks. In particular, our method can speed-up the Flush+Reload attack in cross-VM environment significantly. To verify the theoretical model, we implemented the proposed attack

Cryptanalysis of Low-Data Instances of Full LowMCv2

LowMC is a family of block ciphers designed for a low multiplicative complexity. The specification allows a large variety of instantiations, differing in block size, key size, number of S-boxes applied per round and allowed data complexity. The number of rounds deemed secure is determined by evaluating a number of attack vectors and taking the number of rounds still secure against the best of these. In this paper, we demonstrate that the attacks considered by the designers of LowMC in the version 2 of the round-formular were not sufficient to fend off all possible attacks. In the case of instantiations of LowMC with one of the most useful settings, namely with few applied S-boxes per round and only low allowable data complexities, efficient attacks based on difference enumeration techniques can be constructed. We show that it is most effective to consider tuples of differences instead of simple differences, both to increase the range of the distinguishers and to enable key recovery attacks. All applications for LowMC we are aware of, including signature schemes like Picnic and more recent (ring/group) signature schemes have used version 3 of the roundformular for LowMC, which takes our attack already into account

Impossible Differential Cryptanalysis on Deoxys-BC-256

Deoxys is a third-round candidate of the CAESAR competition. This paper presents the first impossible differential cryptanalysis of Deoxys-BC-256 which is used in Deoxys as an internal tweakable block cipher. First, we find a 4.5-round ID characteristic by utilizing a miss-in-the-middle-approach. We then present several cryptanalyses based upon the 4.5 rounds distinguisher against round-reduced Deoxys-BC-256 in both single-key and related-key settings. Our contributions include impossible differential attacks on up to 8-rounds Deoxys-BC-256 in the tweak-key model which is, to the best of our knowledge, the first independent investigation of the security of Deoxys-BC-256 in the single-key model. Our attack reaches 9 rounds in the related-key related-tweak model which has a slightly higher data complexity than the best previous results obtained by a rectangle attack presented at FSE 2018 but requires a lower memory complexity with an equal time complexity

New Single-Trace Side-Channel Attacks on a Specific Class of Elgamal Cryptosystem

In 2005, Yen et al. proposed the first $N-1$ attack on the modular exponentiation algorithms such as BRIP and square-and-multiply-always methods. This attack makes use of the ciphertext $N-1$ as a distinguisher of low order to obtain a strong relation between side-channel leakages and secret exponent. The so-called $N-1$ attack is one of the most important order-2 element attacks, as it requires a non-adaptive chosen ciphertext which is considered as a more realistic attack model compared to adaptive chosen ciphertext scenario. To protect the implementation against $N-1$ attack, several literatures propose the simplest solution, i.e. \textquotedblleft block the special message $N-1$ . In this paper, we conduct an in-depth research on the $N-1$ attack based on the square-and-multiply-always (SMA) and Montgomery Ladder (ML) algorithms. We show that despite the unaccepted ciphertext $N-1$ countermeasure, other types of $N-1$ attacks is applicable to specific classes of Elgamal cryptosystems. We propose new chosen-message power-analysis attacks with order-4 elements which utilize a chosen ciphertext $c$ such that $c^2= -1 \bmod p$ where $p$ is the prime number used as a modulus in Elgamal. Such a ciphertext can be found simply when $p\equiv 1\mod 4$. We demonstrate that ML and SMA algorithms are subjected to our new $N-1$-type attack by utilizing a different ciphertext. We implement the proposed attacks on the TARGET Board of the ChipWhisperer CW1173 and our experiments validate the feasibility and effectiveness of the attacks by using only a single power trace

Linked Fault Analysis

Numerous fault models have been developed, each with distinct characteristics and effects. These models should be evaluated in light of their costs, repeatability, and practicability. Moreover, there must be effective ways to use the injected fault to retrieve the secret key, especially if there are some countermeasures in the implementation. In this paper, we introduce a new fault analysis technique called ``linked fault analysis\u27\u27 (LFA), which can be viewed as a more powerful version of well-known fault attacks against implementations of symmetric primitives in various circumstances, especially software implementations. For known fault analyses, the bias over the faulty value or the relationship between the correct value and the faulty one, both produced by the fault injection serve as the foundations for the fault model. In the LFA, however, a single fault involves two intermediate values. The faulty target variable, $u\u27$, is linked to a second variable, $v$, such that a particular relation holds: $u\u27=l(v)$. We show that LFA lets the attacker perform fault attacks without the input control, with much fewer data than previously introduced fault attacks in the same class. Also, we show two approaches, called LDFA and LIFA, that show how LFA can be utilized in the presence or absence of typical redundant-based countermeasures. Finally, we demonstrate that LFA is still effective, but under specific circumstances, even when masking protections are in place. We performed our attacks against the public implementation of AES in ATMEGA328p to show how LFA works in the real world. The practical results and simulations validate our theoretical models as well

Statistical Effective Fault Attacks: The other Side of the Coin

The introduction of Statistical Ineffective Fault Attacks (SIFA) has led to a renewed interest in fault attacks. SIFA requires minimal knowledge of the concrete implementation and is effective even in the presence of common fault or power analysis countermeasures. However, further investigations reveal that undesired and frequent ineffective events, which we refer to as the noise phenomenon, are the bottleneck of SIFA that can considerably diminish its strength. This includes noise associated with the attack’s setup and caused by the countermeasures utilized in the implementation. This research aims to address this significant drawback. We present two novel statistical fault attack variants that are far more successful in dealing with these noisy conditions. The first variant is the Statistical Effective Fault Attack (SEFA), which exploits the non-uniform distribution of intermediate variables in circumstances when the induced faults are effective. The idea behind the second proposed method, dubbed Statistical Hybrid Fault Attacks (SHFA), is to take advantage of the biased distributions of both effective and ineffective cases simultaneously. Our experimental results in various case studies, including noise-free and noisy setups, back up our reasoning that SEFA surpasses SIFA in several instances and that SHFA outperforms both or is at least as efficient as the best of them

Tutkimuksia kevyen luokan salaustekniikasta

The decreasing size of devices is one of the most significant changes in telecommunication and information technologies. This change has been accompanied by a dramatic reduction in the cost of computing devices. The dawning era of ubiquitous computing has opened the door to extensive new applications. Ubiquitous computing has found its way into products thanks to the improvements in the underlying enabling technologies. Considerable developments in constraint devices such as RFID tags facilitate novel services and bring embedded computing devices to our everyday environments. The changes that lie ahead will eventually make pervasive computing devices an integral part of our world. The growing prevalence of pervasive computing devices has created a significant need for the consideration of security issues. However, security cannot be considered independently, but instead, should be evaluated alongside related issues such as performance and cost. In particular, there are several limitations facing the design of appropriate ciphers for extremely constrained environments. In response to this challenge, several lightweight ciphers have been designed during the last years. The purpose of this dissertation is to evaluate the security of the emerging lightweight block ciphers. This dissertation develops cryptanalytic methods for determining the exact security level of some inventive and unconventional lightweight block ciphers. The work studies zero-correlation linear cryptanalysis by introducing the Matrix method to facilitate the finding of zero-correlation linear approximations. As applications, we perform zero-correlation cryptanalysis on the 22-round LBlock and TWINE. We also perform simulations on a small variant of LBlock and present the first experimental results to support the theoretical model of the multidimensional zero-correlation linear cryptanalysis method. In addition, we provide a new perspective on slide cryptanalysis and reflection cryptanalysis by extending previous research of self-similarity cryptanalysis. Unlike classical techniques, our approach is not limited to deterministic characteristics. To demonstrate the impact of our model we provide statistical and structural analysis of three well-known lightweight block ciphers: ITUbee, Zorro and LED. As a result of the analysis presented in this work new security criteria for PRINCE-like ciphers are obtained.Informaatio- ja tietoliikennetekniikan merkittävimpiä muutoksia on ollut siirtyminen yhä pienempiin ja pienempiin laitteisiin, joka on myös alentanut niiden hintoja. Ubiikkilaskennan aikakauden koittaessa ovet avautuvat myös laajamittaisiin uusiin sovelluksiin. Ubiikkilaskenta on löytänyt tiensä tuotteisiin sen vaatimissa teknologioissa tapahtuneiden parannusten ansiosta. Rajoitteisten laitteiden kuten RFID-tagien kehittyminen mahdollistaa uusia palveluja ja tuo sulautetut järjestelmät jokapäiväiseen toimintaympäristöömme. Kaikkialle leviävät langattomat laitteet tulevat kiinteäksi osaksi maailmaamme. Kaikkialle läpitunkevan laskennan lisääntyessä turvallisuusnäkökohtien ottaminen huomioon on entistä tärkeämpää. Turvallisuutta ei kuitenkaan voi tarkastella irrallaan muusta kokonaisuudesta, vaan sitä tulee arvioida suhteessa muihin ominaisuuksiin kuten suorituskykyyn ja kustannuksiin. Erityisesti kun suunnitellaan salausteknisiä algoritmeja äärimmäisen rajoitteisiin ympäristöihin kohdataan useita haasteita joihin on viime vuosina pyritty vastaamaan esittämällä lukuisia uusia kevyen luokan salausalgoritmeja. Tämän väitöskirjatyön tarkoituksena on arvioida uusien kevyen luokan salausalgoritmien kryptografista turvallisuutta. Väitöskirjassa kehitetään kryptoanalyyttisiä menetelmiä, joilla voidaan määrittää eräiden uraa uurtavien uusien kevyen luokan lohkosalausalgoritmien turvallisuustaso. Työssä tutkitaan lineaarista nollakorrelaatiomenetelmää ja esitetään matriisimenetelmä, jolla voidaan helpottaa nollakorrelaatiorelaatioiden löytämistä. Sovelluksena esitetään 22 kierroksen LBlock ja TWINE lohkosalausalgoritmien nollakorrelaatioanalyysi. Analyysimenetelmää myös simuloidaan LBlock-algoritmin pienennetyllä versiolla. Tuloksena on ensimmäinen tilastolliselle nollakorrelaatiomenetelmälle suoritettu kokeellinen analyysi ja se tukee aiemmin esitettyä teoreettista mallia. Tutkimuksessa saavutetaan myös uusia tuloksia lohkosalausalgoritmien liukuanalyysi- ja heijastusanalyysimenetelmistä, jotka laajentavat merkittävästi aikaisemmin tunnettujen lohkosalausalgoritmien nk. itseensärinnastavien menetelmien hyödynnettävyyttä ja toimivuutta. Päinvastoin kuin klassiset lähestymistavat, tässä työssä esitetyt laajennukset eivät rajoitu vain deterministisen relaation tapaukseen. Uuden mallin toimivuutta havainnollistetaan esittämällä uusia tilastollisia ja rakenteellisia kryptoanalyyseja tunnetuille kevyen luokan lohkosalausalgoritmeille: ITUBee, Zorro ja LED. Heijastusmenetelmällä suoritetun analyysin pohjalta esitetään myös uusia suunnittelukriteerejä PRINCE-tyypin salausalgoritmeille

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Zero-correlation linear attack is a new method for cryptanalysis of block ciphers developed by Bogdanov et al. in 2012. In this paper we adapt the matrix method to find zero-correlation linear approximations. Then we present several zero-correlation linear approximations for 14 rounds of LBlock and describe a cryptanalysis for 22 rounds of the reduced LBlock. After biclique attacks on LBlock revealed weaknesses in its key schedule, its designers presented a new version of the cipher with a revised key schedule. The attack presented in this paper is applicable to LBlock structure independently of the key scheduling. The attack needs distinct known plaintexts which is a more realistic attack model in comparison with impossible differential cryptanalysis which uses chosen plaintext pairs. Moreover, we performed simulations on a small variant LBlock and present the first experimental results on the theoretical model of the multidimensional zero-correlation linear cryptanalysis method