DOCSLIB.ORG

Cryptanalysis of Lightweight Ciphers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Downloaded from orbit.dtu.dk on: Sep 26, 2021 Cryptanalysis of Lightweight Ciphers Borghoff, Julia Publication date: 2011 Document Version Early version, also known as pre-print Link back to DTU Orbit Citation (APA): Borghoff, J. (2011). Cryptanalysis of Lightweight Ciphers. Technical University of Denmark. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. Technical University of Denmark DTU Mathematics Department of Mathematics Cryptanalysis of Lightweight Ciphers Julia Borghoff Ph.D. Thesis Kongens Lyngby December 2010 Date JuliaBorghoff Technical University of Denmark Department of Mathematics Matematiktorvet Building 303S DK-2800 Kongens Lyngby Denmark Phone +45 45253031 Fax +45 45881399 www.mat.dtu.dk Title of Thesis: Cryptanalysis of Lightweight Ciphers Ph.D. student: Julia Borghoff Department of Mathematics Technical University of Denmark Address: Matematiktorvet, DTU Building 303 S, DK-2800 Lyngby, Denmark E-mail: J.Borghoff@mat.dtu.dk Supervisors: Lars Ramkilde Knudsen Department of Mathematics Technical University of Denmark Address: Matematiktorvet, DTU Building 303 S, DK-2800 Lyngby, Denmark E-mail: [email protected] Censors: Peter Beelen, DTU mathematics Thomas Johansson, Lund University Vincent Rijmen, KU Leuven Summary Lightweight encryption denotes a class of cryptographic algorithms that are suitable for extremely resource constrained environments and offer a moderate security level. The demand for such lightweight encryption algorithms increases because small com- puting devices such as RFID tags become more and more popular and establish a part of the pervasive communication infrastructure. But this extensive employment of computing devices is not only convenient, it also carries security risks. Lightweight encryption algorithms can be divided into two classes: lightweight block ciphers and stream ciphers. Before a new algorithm can be deployed an exten- sive assessment and analysis of its security is necessary. In this thesis we focus on the cryptanalysis of lightweight encryption schemes and we consider the two block cipher C2 and Maya, as well as the stream cipher Trivium. We start with an intro- duction to block ciphers and stream ciphers and give an overview of the most general techniques in cryptanalysis. Furthermore, we investigate block ciphers with secret components. The idea of using secret components is to increase the security of the cipher. We present a cryptanalysis of the cipher C2 where we apply a newly developed technique for recovering the secret S-box, and a cryptanalysis of the PRESENT-like cipher Maya, which involves a differential-style attack. In the analysis of the stream cipher Trivium we combine optimization techniques with cryptanalysis. In this new direction of research we examine the use of mixed-integer optimization and neighbor- hood search algorithms such as simulated annealing for solving non-linear Boolean equation systems. i Resum´e(in Danish) Letvægtskryptering betegner en klasse af kryptografiske algoritmer, som er specielt egnede til miljøer med ekstremt begrænsede ressourcer, og som giver et moderat sikker- hedsniveau. Efterspørgslen efter s˚adanne letvægtskrypteringsalgoritmer vokser, fordi mikro-computere, s˚asom RFID-tags, bliver mere og mere populære som en del af vores voksende kommunikationsinfrastruktur. Denne omfattende brug af mikro-computere er ikke kun praktisk, men medfører ogs˚apotentielle sikkerhedsrisici. Letvægtskrypteringsalgoritmer kan inddeles i to klasser: letvægtsblokchifre og strømchifre. Før ibrugtagning skal en ny algoritme underkastes en omfattende sikker- hedsvurdering og -analyse. I denne afhandling fokuserer vi p˚akryptoanalyse af letvægt- skrypteringalgoritmer, og vi undersøger de to blokchifre C2 og Maya samt strømchifferet Trivium. Vi begynder med en introduktion til blokchifre og strømchifre og giver et overblik over de mest generelle metoder til kryptoanalyse. Desuden undersøger vi blokchifre med hemmelige komponenter, hvis form˚al er at øge chifferets sikkerhed. Vi præsenterer en kryptoanalyse af chifferet C2, hvor vi anvender en nyudviklet teknik til at finde den hemmelige S-box, og en kryptoanalyse, som inkluderer et differentielt angreb, af det Present-lignende chiffer Maya. I analysen af strømchifferet Trivium kombinerer vi optimeringsmetoder med kryptoanalyse. I denne nye forskningsretning undersøger vi brugen af blandet-heltalsoptimering og omegns-søgealgoritmer s˚asom “simulated annealing” til løsning af ikke-lineære boolske ligningssystemer. iii Preface Most people use cryptography several times a day, often without being aware of it. Home banking, the Internet, mobile phones, NemID or access cards are just some examples. The digital world becomes more and more important in our lives, there- fore it also becomes more and more important that our transactions in that world are secure such that nobody can manipulate our data, eavesdrop on our communica- tions etc. Mathematical algorithms called cryptographic primitives found the basis of the security. Any trapdoor in these primitives threatens the security of the applica- tion. Therefore it is important to analyze them carefully before they are employed in practice. This analysis is called cryptanalysis. Cryptanalysis advances by discovering unforeseen and unexpected structure of cryptographic problems. Such structural properties can often be exploited to decrease the complexity of breaking the cryptosystem below the designated security level. In this thesis we investigate in particular the security of lightweight encryption schemes. These are cryptographic algorithms which can be employed in resource con- strained environments. We try to identify certain properties in the different algorithms which can be exploited to break the ciphers. In Part I we give a short introduction into symmetric cryptographic primitives and their cryptanalysis. Chapter 1 provides a motivation and a general introduction to the field of cryptog- raphy. We introduce the cryptographic concepts such as symmetric and public-key encryption and define terminology such as security definitions, attack goals and sce- narios. Chapter 2 introduces the cryptographic primitives called block ciphers. We provide a short description of both Feistel ciphers and substitution-permutation networks, and introduce the ciphers C2 and PRESENT as examples of these design concepts. Chapter 3 gives a short overview of stream cipher design. We compare the two most common stream cipher designs, synchronous and self-synchronizing stream ciphers and afterwards we focus on the design of synchronous stream ciphers. We discuss the properties of building blocks such as LFSRs and sketch designs based on them. After a short discussion of security considerations the chapter concludes with a description of the stream cipher Trivium. Chapter 4 provides an introduction to cryptanalysis applied to block and stream ci- phers. We give a short description of generic attacks such as the exhaustive key search, the table look-up attack, the dictionary attack, and the time-memory trade-offs. These attacks set the bounds on the security of block and stream ciphers. Subsequently, we present the two most important techniques in the cryptanalysis of symmetric en- cryption schemes: differential and linear cryptanalysis. Additionally, we describe the v vi boomerang and the cube attacks as variants of the classical differential attack. The chapter concludes with algebraic attacks. Algebraic representations of symmetric en- cryption scheme are the basis for the novel cryptanalysis presented in Part III. In Part II we examine the security of block ciphers with secret components where we in particular consider block ciphers with secret S-boxes. Chapter 5 is concerned with the cryptanalysis of the cipher C2. C2 is 64-bit block Feistel cipher with a 56-bit key. The 8-bit S-box is application-dependent and kept secret. We show a trial-and error attack which recovers the S-box in only 224 queries to the device and present a boomerang attack to determine the secret key. The dif- ferential used in the attack is independent of the S-box. These two attacks can be combined to an attack that enables us to recover the key and the S-box at the same time. This chapter is based on [22]. Chapter 6 addresses the cryptanalysis of PRESENT-like ciphers with secret S-boxes. We present a new differential-style attack which enables us to recover the S-boxes of the first round of encryption. Furthermore, we show that an S-box can be uniquely determined if we know all sets of input pairs, which lead to an output difference of Hamming weight one, for the S-box and its inverse. The attack is successfully carried out on the cipher Maya and we are able to break the full version consisting of 16 rounds with a practical complexity. Based on a mathematical model we infer that our attack
Recommended publications
  • Report on the AES Candidates

    Report on the AES Candidates

    Rep ort on the AES Candidates 1 2 1 3 Olivier Baudron , Henri Gilb ert , Louis Granb oulan , Helena Handschuh , 4 1 5 1 Antoine Joux , Phong Nguyen ,Fabrice Noilhan ,David Pointcheval , 1 1 1 1 Thomas Pornin , Guillaume Poupard , Jacques Stern , and Serge Vaudenay 1 Ecole Normale Sup erieure { CNRS 2 France Telecom 3 Gemplus { ENST 4 SCSSI 5 Universit e d'Orsay { LRI Contact e-mail: [email protected] Abstract This do cument rep orts the activities of the AES working group organized at the Ecole Normale Sup erieure. Several candidates are evaluated. In particular we outline some weaknesses in the designs of some candidates. We mainly discuss selection criteria b etween the can- didates, and make case-by-case comments. We nally recommend the selection of Mars, RC6, Serp ent, ... and DFC. As the rep ort is b eing nalized, we also added some new preliminary cryptanalysis on RC6 and Crypton in the App endix which are not considered in the main b o dy of the rep ort. Designing the encryption standard of the rst twentyyears of the twenty rst century is a challenging task: we need to predict p ossible future technologies, and wehavetotake unknown future attacks in account. Following the AES pro cess initiated by NIST, we organized an op en working group at the Ecole Normale Sup erieure. This group met two hours a week to review the AES candidates. The present do cument rep orts its results. Another task of this group was to up date the DFC candidate submitted by CNRS [16, 17] and to answer questions which had b een omitted in previous 1 rep orts on DFC.
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1

    Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1

    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
  • Encryption Block Cipher

    Encryption Block Cipher

    10/29/2007 Encryption Encryption Block Cipher Dr.Talal Alkharobi 2 Block Cipher A symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher take n-bit block of plaintext as input, and output a corresponding n-bit block of ciphertext. The exact transformation is controlled using a secret key. Decryption is similar: the decryption algorithm takes n-bit block of ciphertext together with the secret key, and yields the original n-bit block of plaintext. Mode of operation is used to encrypt messages longer than the block size. 1 Dr.Talal Alkharobi 10/29/2007 Encryption 3 Encryption 4 Decryption 2 Dr.Talal Alkharobi 10/29/2007 Encryption 5 Block Cipher Consists of two algorithms, encryption, E, and decryption, D. Both require two inputs: n-bits block of data and key of size k bits, The output is an n-bit block. Decryption is the inverse function of encryption: D(E(B,K),K) = B For each key K, E is a permutation over the set of input blocks. n Each key K selects one permutation from the possible set of 2 !. 6 Block Cipher The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. 64 bits was the most common length until the mid-1990s, when new designs began to switch to 128-bit. Padding scheme is used to allow plaintexts of arbitrary lengths to be encrypted. Typical key sizes (k) include 40, 56, 64, 80, 128, 192 and 256 bits.
  • Differential-Linear Cryptanalysis Revisited

    Differential-Linear Cryptanalysis Revisited

    Differential-Linear Cryptanalysis Revisited C´elineBlondeau1 and Gregor Leander2 and Kaisa Nyberg1 1 Department of Information and Computer Science, Aalto University School of Science, Finland fceline.blondeau, [email protected] 2 Faculty of Electrical Engineering and Information Technology, Ruhr Universit¨atBochum, Germany [email protected] Abstract. Block ciphers are arguably the most widely used type of cryptographic primitives. We are not able to assess the security of a block cipher as such, but only its security against known attacks. The two main classes of attacks are linear and differential attacks and their variants. While a fundamental link between differential and linear crypt- analysis was already given in 1994 by Chabaud and Vaudenay, these at- tacks have been studied independently. Only recently, in 2013 Blondeau and Nyberg used the link to compute the probability of a differential given the correlations of many linear approximations. On the cryptana- lytical side, differential and linear attacks have been applied on different parts of the cipher and then combined to one distinguisher over the ci- pher. This method is known since 1994 when Langford and Hellman presented the first differential-linear cryptanalysis of the DES. In this paper we take the natural step and apply the theoretical link between linear and differential cryptanalysis to differential-linear cryptanalysis to develop a concise theory of this method. We give an exact expression of the bias of a differential-linear approximation in a closed form under the sole assumption that the two parts of the cipher are independent. We also show how, under a clear assumption, to approximate the bias effi- ciently, and perform experiments on it.
  • Statistical Cryptanalysis of Block Ciphers

    Statistical Cryptanalysis of Block Ciphers

    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
  • Cryptanalysis of Symmetric-Key Primitives Based on the AES Block Cipher Jérémy Jean

    Cryptanalysis of Symmetric-Key Primitives Based on the AES Block Cipher Jérémy Jean

    Cryptanalysis of Symmetric-Key Primitives Based on the AES Block Cipher Jérémy Jean To cite this version: Jérémy Jean. Cryptanalysis of Symmetric-Key Primitives Based on the AES Block Cipher. Cryp- tography and Security [cs.CR]. Ecole Normale Supérieure de Paris - ENS Paris, 2013. English. tel- 00911049 HAL Id: tel-00911049 https://tel.archives-ouvertes.fr/tel-00911049 Submitted on 28 Nov 2013 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Université Paris Diderot École Normale Supérieure (Paris 7) Équipe Crypto Thèse de doctorat Cryptanalyse de primitives symétriques basées sur le chiffrement AES Spécialité : Informatique présentée et soutenue publiquement le 24 septembre 2013 par Jérémy Jean pour obtenir le grade de Docteur de l’Université Paris Diderot devant le jury composé de Directeur de thèse : Pierre-Alain Fouque (Université de Rennes 1, France) Rapporteurs : Anne Canteaut (INRIA, France) Henri Gilbert (ANSSI, France) Examinateurs : Arnaud Durand (Université Paris Diderot, France) Franck Landelle (DGA, France) Thomas Peyrin (Nanyang Technological University, Singapour) Vincent Rijmen (Katholieke Universiteit Leuven, Belgique) Remerciements Je souhaite remercier toutes les personnes qui ont contribué de près ou de loin à mes trois années de thèse.
  • Statistical Cryptanalysis of Block Ciphers

    Statistical Cryptanalysis of Block Ciphers

    Statistical Cryptanalysis of Block Ciphers THESE` N◦ 3179 (2004) PRESENT´ EE´ A` LA FACULTE´ INFORMATIQUE & COMMUNICATIONS Institut de syst`emes de communication SECTION DES SYSTEMES` DE COMMUNICATION ECOLE´ POLYTECHNIQUE FED´ ERALE´ DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ES` SCIENCES PAR Pascal JUNOD ing´enieur informaticien diplom´e EPF de nationalit´e suisse et originaire de Sainte-Croix (VD) accept´ee sur proposition du jury: Prof. Emre Telatar (EPFL), pr´esident du jury Prof. Serge Vaudenay (EPFL), directeur de th`ese Prof. Jacques Stern (ENS Paris, France), rapporteur Prof. em. James L. Massey (ETHZ & Lund University, Su`ede), rapporteur Prof. Willi Meier (FH Aargau), rapporteur Prof. Stephan Morgenthaler (EPFL), rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam.
  • Modern Cryptanalysis.Pdf

    Modern Cryptanalysis.Pdf

    Contents Acknowledgments Introduction Chapter 1: Simple Ciphers 1.1 Monoalphabetic Ciphers 1.2 Keying 1.3 Polyalphabetic Ciphers 1.4 Transposition Ciphers 1.5 Cryptanalysis 1.6 Summary Exercises References Chapter 2: Number Theoretical Ciphers 2.1 Probability 2.2 Number Theory Refresher Course 2.3 Algebra Refresher Course 2.4 Factoring-Based Cryptography 2.5 Discrete Logarithm-Based Cryptography 2.6 Elliptic Curves 2.7 Summary Exercises References Chapter 3: Factoring and Discrete Logarithms 3.1 Factorization 3.2 Algorithm Theory 3.3 Exponential Factoring Methods 3.4 Subexponential Factoring Methods 3.5 Discrete Logarithms 3.6 Summary Exercises References Chapter 4: Block Ciphers 4.1 Operations on Bits, Bytes, Words 4.2 Product Ciphers 4.3 Substitutions and Permutations 4.4 Substitution–Permutation Network 4.5 Feistel Structures 4.6 DES 4.7 FEAL 4.8 Blowfish 4.9 AES / Rijndael 4.10 Block Cipher Modes 4.11 Skipjack 4.12 Message Digests and Hashes 4.13 Random Number Generators 4.14 One-Time Pad 4.15 Summary Exercises References Chapter 5: General Cryptanalytic Methods 5.1 Brute-Force 5.2 Time–Space Trade-offs 5.3 Rainbow Tables 5.4 Slide Attacks 5.5 Cryptanalysis of Hash Functions 5.6 Cryptanalysis of Random Number Generators 5.7 Summary Exercises References Chapter 6: Linear Cryptanalysis 6.1 Overview 6.2 Matsui’s Algorithms 6.3 Linear Expressions for S-Boxes 6.4 Matsui’s Piling-up Lemma 6.5 Easy1 Cipher 6.6 Linear Expressions and Key Recovery 6.7 Linear Cryptanalysis of DES 6.8 Multiple Linear Approximations 6.9 Finding Linear Expressions

  • Related-Key Boomerang and Rectangle Attacks: Theory and Experimental Analysis Jongsung Kim, Seokhie Hong, Bart Preneel, Eli Biham, Orr Dunkelman, and Nathan Keller

    IEEE TRANSACTIONS ON INFORMATION THEORY , VOL. ?, NO. ??,SEPTEMBER, 2009 1 Related-Key Boomerang and Rectangle Attacks: Theory and Experimental Analysis Jongsung Kim, Seokhie Hong, Bart Preneel, Eli Biham, Orr Dunkelman, and Nathan Keller Abstract— The related-key differential attack and the thus, related-key boomerang/rectangle attacks on block ciphers boomerang attack are two of the classical techniques in crypt- are valid in general. On the other hand, due to the dependence of analysis of block ciphers. In 2004, we introduced the related- the probabilities on the key, it is important to verify the validity of key boomerang and related-key rectangle attacks, which allow the attack experimentally whenever possible in order to measure to enjoy the benefits of these two techniques simultaneously. The its success probability. new techniques proved to be very powerful, and were used to devise the best known attacks against numerous block ciphers, Index Terms— Related-key Boomerang Attack, Related-Key culminating with the first attack on the full AES presented in Rectangle Attack, Experimental Analysis, KASUMI. 2009 and a practical-time attack on KASUMI (the cipher used in GSM and 3G telephony) presented in 2010. While the claimed applications of the related-key I. INTRODUCTION boomerang/rectangle technique are significant, most of HE related-key differential attack, introduced by Kelsey them have a major drawback: due to the extremely high et al. [23] in 1996, is an extension of differential crypt- complexity of the attacks, their validity cannot be verified T experimentally. Together with the lack of rigorous justification analysis [5] in which it is assumed that the adversary has of the probabilistic assumptions underlying the technique, it was control over the key difference, along with the control over claimed that these assumptions cannot be relied upon, and thus, the plaintext/ciphertext differences.
  • LNCS 3494, Pp

    LNCS 3494, Pp

    Related-Key Boomerang and Rectangle Attacks Eli Biham1, Orr Dunkelman1,, and Nathan Keller2 1Computer Science Department, Technion, Haifa 32000, Israel {biham, orrd}@cs.technion.ac.il 2Einstein Institute of Mathematics, Hebrew University, Jerusalem 91904, Israel [email protected] Abstract. The boomerang attack and the rectangle attack are two at- tacks that utilize differential cryptanalysis in a larger construction. Both attacks treat the cipher as a cascade of two sub-ciphers, where there ex- ists a good differential for each sub-cipher, but not for the entire cipher. In this paper we combine the boomerang (and the rectangle) attack with related-key differentials. The new combination is applicable to many ciphers, and we demon- strate its strength by introducing attacks on reduced-round versions of AES and IDEA. The attack on 192-bit key 9-round AES uses 256 differ- ent related keys. The 6.5-round attack on IDEA uses four related keys (and has time complexity of 288.1 encryptions). We also apply these tech- niques to COCONUT98 to obtain a distinguisher that requires only four related-key adaptive chosen plaintexts and ciphertexts. For these ciphers, our results attack larger number of rounds or have smaller complexities then all previously known attacks. 1 Introduction The boomerang attack [23] is an adaptive chosen plaintext and ciphertext attack utilizing differential cryptanalysis [6]. The cipher is treated as a cascade of two sub-ciphers, where a short differential is used in each of these sub-ciphers. These two differentials are combined in an elegant way to suggest an adaptive chosen plaintext and ciphertext property of the cipher that has high probability.
  • Minimalism in Cryptography: the Even-Mansour Scheme Revisited

    Minimalism in Cryptography: the Even-Mansour Scheme Revisited

    Minimalism in Cryptography: The Even-Mansour Scheme Revisited Orr Dunkelman1,2, Nathan Keller2, and Adi Shamir2 1 Computer Science Department University of Haifa Haifa 31905, Israel [email protected] 2 Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box 26, Rehovot 76100, Israel {nathan.keller,adi.shamir}@weizmann.ac.il Abstract. In this paper we consider the following fundamental prob- lem: What is the simplest possible construction of a block cipher which is provably secure in some formal sense? This problem motivated Even and Mansour to develop their scheme in 1991, but its exact security re- mained open for more than 20 years in the sense that the lower bound proof considered known plaintexts, whereas the best published attack (which was based on differential cryptanalysis) required chosen plain- texts. In this paper we solve this long standing open problem by describ- ing the new Slidex attack which matches the T = Ω(2n/D) lower bound on the time T for any number of known plaintexts D. Once we obtain this tight bound, we can show that the original two-key Even-Mansour scheme is not minimal in the sense that it can be simplified into a single key scheme with half as many key bits which provides exactly the same security, and which can be argued to be the simplest conceivable provably secure block cipher. We then show that there can be no comparable lower bound on the memory requirements of such attacks, by developing a new memoryless attack which can be applied with the same time complexity but only in the special case of D = 2n/2.
  • My Crazy Boss Asked Me to Design a New Block Cipher. What's Next?

    My Crazy Boss Asked Me to Design a New Block Cipher. What's Next?

    Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. What’s next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria Outline •High-Level Schemes •Confusion •Diffusion •Key-Schedule •Beyond the Design Pascal Junod -- Advanced Block Cipher Design 2 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria Introduction Pascal Junod -- Advanced Block Cipher Design 3 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria Some Simple Facts • As of today, nobody knows how to design a (mathematically proven) secure block cipher. • Problem related to fundamental open questions in mathematics/computer science • A secure block cipher is a block cipher that nobody can break... • A good block cipher is a secure block cipher that people like to implement. Pascal Junod -- Advanced Block Cipher Design 4 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria So many Designs in the Hierocrypt G-DES Wild... LOKI MacGuffin LION RC2 Akellare Coconut98 DFC Square E0 Twofish Anubis CAST Skipjack CS-Cipher DEAL Shark RC5 Rijndael IDEA Camellia Aria Present Noekeon Magenta DES-X Threefish RC6 Seed Mars FOX Serpent BassOmatic GOST DES MESH 3-Way E2 TEA Blowfish Misty XTEA Triple DES Cipherunicorn BEAR CLEFIA FEAL XXTEA 5 Madryga Designing a New Block Cipher • Several good and bad reasons: • Faster/smaller than any other one ✔ • With «better» security guarantees than any other one ✔✔ • My boss crazily asked me to design a new, secret (!) and patented (!!) block cipher ~ • Not enough proposals/diversity in the wild ✖ • I desperately need to publish something to finish my PhD thesis ! ✖ Pascal Junod -- Advanced Block Cipher Design 6 ECRYPT II Summer School - May 31st, 2011, Albena, Bulgaria Designing a New Block Cipher • Claude E.