22 research outputs found
Cryptanalysis of ARX-based White-box Implementations
At CRYPTOâ22, Ranea, Vandersmissen, and Preneel proposed a new way to design white-box implementations of ARX-based ciphers using so-called implicit functions and quadratic-affine encodings. They suggest the Speck block-cipher as an example target. In this work, we describe practical attacks on the construction. For the implementation without one of the external encodings, we describe a simple algebraic key recovery attack. If both external encodings are used (the main scenario suggested by the authors), we propose optimization and inversion attacks, followed by our main result - a multiple-step round decomposition attack and a decomposition-based key recovery attack. Our attacks only use the white-box round functions as oracles and do not rely on their description. We implemented and verified experimentally attacks on white-box instances of Speck-32/64 and Speck-64/128. We conclude that a single ARX-round is too weak to be used as a white-box round
Pitfalls and Shortcomings for Decompositions and Alignment (Full Version)
In this paper we, for the first time, study the question under which circumstances decomposing a round function of a Substitution-Permutation Network is possible uniquely. More precisely, we provide necessary and sufficient criteria for the non-linear layer on when a decomposition is unique. Our results in particular imply that, when cryptographically strong S-boxes are used, the decomposition is indeed unique.
We then apply our findings to the notion of alignment, pointing out that the previous definition allows for primitives that are both aligned and unaligned simultaneously.
As a second result, we present experimental data that shows that alignment might only have limited impact. For this, we compare aligned and unaligned versions of the cipher PRESENT
Strong and Tight Security Guarantees against Integral Distinguishers
Integral attacks belong to the classical attack vectors against any given block ciphers. However, providing arguments that a given cipher is resistant against those attacks is notoriously difficult.
In this paper, based solely on the assumption of independent round keys, we develop significantly stronger arguments than what was possible before: our main result is that we show how to argue that the sum of ciphertexts over any possible subset of plaintext is key-dependent, i.e., the non existence of integral distinguishers
On Recovering Affine Encodings in White-Box Implementations
Ever since the first candidate white-box implementations by Chow et al. in 2002, producing a secure white-box implementation of AES has remained an enduring challenge.
Following the footsteps of the original proposal by Chow et al., other constructions were later built around the same framework. In this framework, the round function of the cipher is encoded by composing it with non-linear and affine layers known as encodings. However, all such attempts were broken by a series of increasingly efficient attacks that are able to peel off these encodings, eventually uncovering the underlying round function, and with it the secret key.
These attacks, however, were generally ad-hoc and did not enjoy a wide applicability. As our main contribution, we propose a generic and efficient algorithm to recover affine encodings, for any Substitution-Permutation-Network (SPN) cipher, such as AES, and any form of affine encoding.
For AES parameters, namely 128-bit blocks split into 16 parallel 8-bit S-boxes, affine encodings are recovered with a time complexity estimated at basic operations, independently of how the encodings are built.
This algorithm is directly applicable to a large class of schemes. We illustrate this on a recent proposal due to Baek, Cheon and Hong, which was not previously analyzed. While Baek et al. evaluate the security of their scheme to 110 bits, a direct application of our generic algorithm is able to break the scheme with an estimated time complexity of only basic operations.
As a second contribution, we show a different approach to cryptanalyzing the Baek et al. scheme, which reduces the analysis to a standalone combinatorial problem, ultimately achieving key recovery in time complexity . We also provide an implementation of the attack, which is able to recover the secret key in about 12 seconds on a standard desktop computer
PRINCEv2 - More Security for (Almost) No Overhead
In this work, we propose tweaks to the PRINCE block cipher that help us to increase its security without changing the number of rounds or round operations. We get substantially higher security for the same complexity. From an implementation perspective, PRINCEv2 comes at an extremely low overhead compared to PRINCE in all key categories, such as area, latency and energy. We expect, as it is already the case for PRINCE, that the new cipher PRINCEv2 will be deployed in various settings
Optimisation des principaux composants des chiffrements par bloc
Along with new cryptanalysis techniques, the security of block ciphers is always evolving. When designing new block ciphers, we thus need to consider these new techniques during the security analysis. In this thesis, we show how to build some core operations for block ciphers to improve the security against some attacks. We first start by describing a method to find optimal (according to some criterion) even-odd permutations for a Generalized Feistel Network. Using a new characterization and an efficient algorithm, we are able to solve a 10-years old problem. We then give new cryptanalysis techniques to improve the division property, along with a new proven optimal criterion for designing S-boxes. We continue with new observations for the design of an alternative key-schedule for AES. We thus give a new key-schedule, which is both more efficient and more secure against some attacks compared to the original one. Finally, we describe a very efficient generic algorithm to break most proposals in white-box cryptography, as well as a dedicated attack on a previously not analyzed scheme, leading to a key-recovery attack in a few seconds.La sĂ©curitĂ© des chiffrements par bloc Ă©volue constamment au fur et Ă mesure que de nouvelles techniques de cryptanalyse sont dĂ©couvertes. Lors de la conception de nouveaux chiffrements par bloc, il est donc nĂ©cessaire de considĂ©rer ces nouvelles techniques dans l'analyse de sĂ©curitĂ©. Dans cette thĂšse, nous montrons comment construire certaines opĂ©rations internes des chiffrements par bloc pour amĂ©liorer la rĂ©sistance Ă certaines attaques. Nous commençons par donner une mĂ©thode pour trouver les permutations paires-impaires optimales selon un certain critĂšre pour les RĂ©seaux de Feistel GĂ©nĂ©ralisĂ©s. GrĂące Ă une nouvelle caractĂ©risation et Ă un algorithme efficace, nous sommes notamment capables de rĂ©soudre un problĂšme ouvert depuis 10 ans. Nous donnons ensuite de nouvelles techniques de cryptanalyse pour amĂ©liorer la division property, qui nous permet Ă©galement de donner un nouveau critĂšre optimal pour la conception de boĂźtes-S. Nous continuons avec de nouvelles observations pour un cadencement de clĂ© alternatif pour AES. Ceci nous permet de donner un nouveau cadencement de clĂ©, Ă la fois plus efficace et augmentant la sĂ©curitĂ© face Ă certaines attaques par rapport Ă lâoriginal. Pour finir, nous prĂ©sentons un algorithme gĂ©nĂ©ral trĂšs effiace permettant dâattaquer la majoritĂ© des propositions pour la cryptographie en boĂźte blanche, ainsi quâune attaque dĂ©diĂ©e sur un schĂ©ma non attaquĂ© jusque lĂ , donnant lieu Ă une attaque qui nâa besoin que de quelques secondes pour retrouver la clĂ©
Fast MILP Models for Division Property
Nowadays, MILP is a very popular tool to help cryptographers search for various distinguishers, in particular for integral distinguishers based on the division property. However, cryptographers tend to use MILP in a rather naive way, modeling problems in an exact manner and feeding them to a MILP solver. In this paper, we show that a proper use of some features of MILP solvers such as lazy constraints, along with using simpler but less accurate base models, can achieve much better solving times, while maintaining the precision of exact models. In particular, we describe several new modelization techniques for division property related models as well as a new variant of the Quine-McCluskey algorithm for this specific setting. Moreover, we positively answer a problem raised in [DF20] about handling the large sets of constraints describing valid transitions through Super S-boxes into a MILP model. As a result, we greatly improve the solving times to recover the distinguishers from several previous works ([DF20], [HWW20], [SWW17], [Udo21], [EY21]) and we were able to search for integral distinguishers on 5-round ARIA which was out of reach of previous modeling techniques
Pitfalls and Shortcomings for Decompositions and Alignment
peer reviewedIn this paper we, for the first time, study the question under which circumstances decomposing a round function of a Substitution-Permutation Network is possible uniquely. More precisely, we provide necessary and sufficient criteria for the non-linear layer on when a decomposition is unique. Our results in particular imply that, when cryptographically strong S-boxes are used, the decomposition is indeed unique. We then apply our findings to the notion of alignment, pointing out that the previous definition allows for primitives that are both aligned and unaligned simultaneously. As a second result, we present experimental data that shows that alignment might only have limited impact. For this, we compare aligned and unaligned versions of the cipher PRESENT
Cryptanalysis of ARX-based White-box Implementations
At CRYPTOâ22, Ranea, Vandersmissen, and Preneel proposed a new way to design white-box implementations of ARX-based ciphers using so-called implicit functions and quadratic-affine encodings. They suggest the Speck block-cipher as an example target.In this work, we describe practical attacks on the construction. For the implementation without one of the external encodings, we describe a simple algebraic key recovery attack. If both external encodings are used (the main scenario suggested by the authors), we propose optimization and inversion attacks, followed by our main result - a multiple-step round decomposition attack and a decomposition-based key recovery attack.Our attacks only use the white-box round functions as oracles and do not rely on their description. We implemented and verified experimentally attacks on white-box instances of Speck-32/64 and Speck-64/128. We conclude that a single ARX-round is too weak to be used as a white-box round
Linearly equivalent S-boxes and the division property
Division property is a cryptanalysis method that proves to be very efficient on block ciphers. Computer-aided techniques such as MILP have been widely and successfully used to study various cryptanalysis techniques, and it especially led to many new results for the division property. Nonetheless, we claim that the previous techniques do not consider the full search space. We show that even if the previous techniques fail to find a distinguisher based on the division property over a given function, we can potentially find a relevant distinguisher over a linearly equivalent function. We show that the representation of the block cipher heavily influences the propagation of the division property, and exploiting this, we give an algorithm to efficiently search for such linear mappings. As a result, we exhibit a new distinguisher over 10 rounds of RECTANGLE, while the previous best was over 9 rounds, and rule out such a distinguisher over more than 9 rounds of PRESENT. We also give some insight about the construction of an S-box to strengthen a block cipher against our technique. We prove that using an S-box satisfying a certain criterion is optimal in term of resistance against classical division property. Accordingly, we exhibit stronger variants of RECTANGLE and PRESENT, improving the resistance against division property based distinguishers by 2 rounds