Differential Cryptanalysis of 18-Round PRIDE

The rapid growth of the Internet of Things together with the increasing popularity of connected objects have created a need for secure, efficient and lightweight ciphers. Among the multitude of candidates, the block cipher PRIDE is, to this day, one of the most efficient solutions for 8-bit micro-controllers. In this paper, we provide new insights and a better understanding of differential attacks of PRIDE. First, we show that two previous attacks are incorrect, and describe (new and old) properties of the cipher that make such attacks intricate. Based on this understanding, we show how to properly mount a differential attack. Our proposal is the first single key differential attack that reaches 18 rounds out of 20. It requires $2^{61}$ chosen plaintexts and recovers the 128-bit key with a final time complexity of $2^{63.3}$ encryptions, while requiring a memory of about $2^{35}$ blocks of 64 bits

On Boomerang Attacks on Quadratic Feistel Ciphers

The recent introduction of the Boomerang Connectivity Table (BCT) at Eurocrypt 2018 revived interest in boomerang cryptanalysis and in the need to correctly build boomerang distinguishers. Several important advances have been made on this matter, with in particular the study of the extension of the BCT theory to multiple rounds and to different types of ciphers. In this paper, we pursue these investigations by studying the specific case of quadratic Feistel ciphers, motivated by the need to look at two particularly lightweight ciphers, KATAN and Simon. Our analysis shows that their light round function leads to an extreme case, as a one-round boomerang can only have a probability of 0 or 1. We identify six papers presenting boomerang analyses of KATAN or Simon and all use the naive approach to compute the distinguisher’s probability. We are able to prove that several results are theoretically incorrect and we run experiments to check the probability of the others. Many do not have the claimed probability: it fails distinguishing in some cases, but we also identify instances where the experimental probability turns out to be better than the claimed one. To address this shortfall, we propose an SMT model taking into account the boomerang constraints. We present several experimentally-verified related-key distinguishers obtained with our new technique: on KATAN32 a 151-round boomerang and on Simon-32/64 a 17-round boomerang, a 19-round rotational-xor boomerang and a 15-round rotational-xor-differential boomerang. Furthermore, we extend our 19-round distinguisher into a 25-round rotational-xor rectangle attack on Simon-32/64. To the best of our knowledge this attack reaches one more round than previously published results

Cryptanalysis of the FLIP Family of Stream Ciphers

International audienceAt Eurocrypt 2016, Méaux et al. proposed FLIP, a new family of stream ciphers intended for use in Fully Homomorphic Encryption systems. Unlike its competitors which either have a low initial noise that grows at each successive encryption, or a high constant noise, the FLIP family of ciphers achieves a low constant noise thanks to a new construction called filter permutator. In this paper, we present an attack on the early version of FLIP that exploits the structure of the filter function and the constant internal state of the cipher. Applying this attack to the two instantiations proposed by Méaux et al. allows for a key recovery in 2 54 basic operations (resp. 2 68), compared to the claimed security of 2 80 (resp. 2 128)

On the Feistel Counterpart of the Boomerang Connectivity Table: Introduction and Analysis of the FBCT

International audienceAt Eurocrypt 2018, Cid et al. introduced the Boomerang Connectivity Table (BCT), a tool to compute the probability of the middle round of a boomerang distinguisher from the description of the cipher’s Sbox(es). Their new table and the following works led to a refined understanding of boomerangs, and resulted in a series of improved attacks. Still, these works only addressed the case of Substitution Permutation Networks, and completely left out the case of ciphers following a Feistel construction. In this article, we address this lack by introducing the FBCT, the Feistel counterpart of the BCT. We show that the coefficient at row Δi, ∇o corresponds to the number of times the second order derivative at points Δi, ∇o) cancels out. We explore the properties of the FBCT and compare it to what is known on the BCT. Taking matters further, we show how to compute the probability of a boomerang switch over multiple rounds with a generic formula

Masked Iterate-Fork-Iterate: A new Design Paradigm for Tweakable Expanding Pseudorandom Function

Many modes of operations for block ciphers or tweakable block ciphers do not require invertibility from their underlying primitive. In this work, we study fixed-length Tweakable Pseudorandom Function (TPRF) with large domain extension, a novel primitive that can bring high security and significant performance optimizations in symmetric schemes, such as (authenticated) encryption. Our first contribution is to introduce a new design paradigm, derived from the Iterate-Fork-Iterate construction, in order to build $n$-to-$\alpha n$-bit ($\alpha\geq2$), $n$-bit secure, domain expanding TPRF. We dub this new generic composition masked Iterate-Fork-Iterate (mIFI). We then propose a concrete TPRF instantiation ButterKnife that expands an $n$-bit input to $8n$-bit output via a public tweak and secret key. ButterKnife is built with high efficiency and security in mind. It is fully parallelizable and based on Deoxys-BC, the AES-based tweakable block cipher used in the authenticated encryption winner algorithm in the defense-in-depth category of the recent CAESAR competition. We analyze the resistance of ButterKnife to differential, linear, meet-in-the-middle, impossible differentials and rectangle attacks. A special care is taken to the attack scenarios made possible by the multiple branches. Our next contribution is to design and provably analyze two new TPRF-based deterministic authenticated encryption (DAE) schemes called SAFE and ZAFE that are highly efficient, parallelizable, and offer $(n+\min(n,t))/2$ bits of security, where $n,t$ denote respectively the input block and the tweak sizes of the underlying primitives. We further implement SAFE with ButterKnife to show that it achieves an encryption performance of 1.06 c/B for long messages on Skylake, which is 33-38% faster than the comparable Crypto\u2717 TBC-based ZAE DAE. Our second candidate ZAFE, which uses the same authentication pass as ZAE, is estimated to offer a similar level of speedup. Besides, we show that ButterKnife, when used in Counter Mode, is slightly faster than AES (0.50 c/B vs 0.56 c/B on Skylake)

CTET+: A Beyond-Birthday-Bound Secure Tweakable Enciphering Scheme Using a Single Pseudorandom Permutation

International audienceIn this work, we propose a construction of 2-round tweakable substitution permutation networks using a single secret S-box. This construction is based on non-linear permutation layers using independent round keys, and achieves security beyond the birthday bound in the random permutation model. When instantiated with an n-bit block cipher with ωn-bit keys, the resulting tweakable block cipher, dubbed CTET+, can be viewed as a tweakable enciphering scheme that encrypts ωκ-bit messages for any integer ω ≥ 2 using 5n + κ-bit keys and n-bit tweaks, providing 2n/3-bit security. Compared to the 2-round non-linear SPN analyzed in [CDK+18], we both minimize it by requiring a single permutation, and weaken the requirements on the middle linear layer, allowing better performance. As a result, CTET+ becomes the first tweakable enciphering scheme that provides beyond-birthday-bound security using a single permutation, while its efficiency is still comparable to existing schemes including AES-XTS, EME, XCB and TET. Furthermore, we propose a new tweakable enciphering scheme, dubbed AES6-CTET+, which is an actual instantiation of CTET+ using a reduced round AES block cipher as the underlying secret S-box. Extensive cryptanalysis of this algorithm allows us to claim 127 bits of security.Such tweakable enciphering schemes with huge block sizes become desirable in the context of disk encryption, since processing a whole sector as a single block significantly worsens the granularity for attackers when compared to, for example, AES-XTS, which treats every 16-byte block on the disk independently. Besides, as a huge amount of data is being stored and encrypted at rest under many different keys in clouds, beyond-birthday-bound security will most likely become necessary in the short term

Rasta: A cipher with low ANDdepth and few ANDs per bit

Recent developments in multi party computation (MPC) and fully homomorphic encryption (FHE) promoted the design and analysis of symmetric cryptographic schemes that minimize multiplications in one way or another. In this paper, we propose with Rasta a design strategy for symmetric encryption that has ANDdepth d and at the same time only needs d ANDs per encrypted bit. Even for very low values of d between 2 and 6 we can give strong evidence that attacks may not exist. This contributes to a better understanding of the limits of what concrete symmetric-key constructions can theoretically achieve with respect to AND-related metrics, and is to the best of our knowledge the first attempt that minimizes both metrics simultaneously. Furthermore, we can give evidence that for choices of d between 4 and 6 the resulting implementation properties may well be competitive by testing our construction in the use-case of removing the large ciphertext-expansion when using the BGV scheme

Centre d’études africaines

Monika Salzbrunn, chargée de recherche au CNRSMahamet Timera, maître de conférences à l’Université du Havre Religion et migration : espaces sociaux transnationaux en France et en Allemagne au XXe siècle Le séminaire a été consacré à la réflexion sur les approches théoriques et méthodologiques de l’étude des réseaux migratoires : 1) les définitions de l’espace social transnational ; 2) les définitions de la diaspora ; 3) figures de l’étranger, identités et altérités (présenté par Britta Leiser..

Cryptanalysis of symmetric ciphers

Les travaux réalisés dans cette thèse ont pour objet l'analyse de la sécurité de chiffrements à clef secrète. Plus précisément, nous y décrivons la cryptanalyse de plusieurs chiffrements par blocs et à flot ayant pour point commun d'avoir été conçus récemment pour répondre aux nouveaux enjeux de la cryptographie symétrique. Nous mettons en avant des attaques des versions complètes de cinq chiffrements, prouvant ainsi que ces primitives cryptographiques n'apportent pas la sécurité annoncée par leurs concepteurs.La première partie de cette thèse est dédiée à l'analyse de chiffrements par blocs avec des techniques de cryptanalyse différentielle. Nous montrons comment mener une attaque par différentielles tronquées sur la famille de chiffrements à bas coût KLEIN en exploitant la faible diffusions de sa fonction de tour. Ensuite, nous nous intéressons à Zorro et à Picaro, deux chiffrements conçus de sorte à être faciles à protéger contre les attaques par canaux auxiliaires, et montrons que les choix de conception guidés par cette contrainte ont engendré des faiblesses dans leurs propriétés différentielles, pouvant ensuite être exploitées dans des attaques.La seconde partie du manuscrit porte sur la cryptanalyse de chiffrements à flot. Nous y étudions Sprout et Flip, deux chiffrements aux structures innovantes visant respectivement à limiter la taille du circuit matériel nécessaire à l'implémentation et une bonne adaptation dans un schéma de FHE.The main subject of this thesis is the security analysis of symmetric key ciphers. Specifically, we study several recently proposed block and stream ciphers and prove that the level of security stated by their designers is overestimated. The ciphers we study were all designed in order to meet the needs of one of the new applications of symmetric cryptography, which include symmetric ciphers for very constrained environments.The first part of the thesis is dedicated to the analysis of block ciphers with techniques based on differential cryptanalysis. We start with the description of a truncated differential attack on the family of lightweight ciphers KLEIN. Next, we analyse two ciphers that were designed in such a way that they could be easily and effectively protected against side-channel attacks: Zorro and Picaro. We show that the design choices made by their designers lead to weak diffusion properties. We exploit these imperfections to devise a differential cryptanalysis of Zorro and a related key attack on Picaro.The second part of this thesis deals with stream ciphers and gives an analysis of two innovative designs: Sprout and Flip. Sprout was designed in order to limit its hardware area size and to suit very constrained environments, while Flip reaches efficient performances when used in FHE schemes. In both cases, we find flaws that lead to attacks of the particular set of parameters proposed for these ciphers

Cryptanalysis of KLEIN

International audienc