DOCSLIB.ORG

Basic Concepts of Cryptography ECE 646 – Lecture 1

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Basic Concepts of Cryptography ECE 646 – Lecture 1 ECE 646 – Lecture 1 CRYPTOLOGY CRYPTOGRAPHY CRYPTANALYSIS Basic Concepts of Cryptography from Greek cryptos - hidden, secret logos - word graphos - writing 2 1 2 Basic Vocabulary Cryptosystem (Cipher) encryption decryption message ciphertext N bits message (cryptogram, message (plaintext, encrypted (plaintext, clear message) message) clear message) cryptographic key M C M K bits Sender Receiver M bits ciphertext 3 4 3 4 1 Definition of a cryptosystem (cipher) Substitution Cipher encryption function EK(M) a b c d e f g h i j k l m n o p q r s t u v w x y z Key = family of encryption f q i s h n c v j t y a u w d r e x l b m z o g k p functions message space key space ciphertext space TO BE OR NOT TO BE encryption M K key K C BD QH DX WDB BD QH decryption family of decryption TO BE OR NOT TO BE functions 26 decryption function DK(C) Number of keys = 26! ≈ 4 ∙ 10 K Î K M Î M DK(EK(M)) = M 5 6 5 6 Unpublished vs. published algorithm? Kerckhoffs’s principle Unpublished algorithm Published algorithm 1. The only reliable way of The security of a cipher MUST NOT depend 1. Cryptanalysis must include assessing cipher security recovering the algorithm on anything that cannot be easily changed 2. Prevents backdoors hidden by designers 2. Smaller number of users, 3. Large number of implementations smaller motivation to break = low cost + high performance 4. No need for anti-reverse- 3. Unavailable for other engineering protection Auguste Kerckhoffs, 1883, countries 5. Software implementations Dutch Linguist and 6. Domestic and international Cryptographer standardization 7 8 7 8 2 Fundamental Tenet of Cryptography Breaking ciphers used in GSM, 1999 (1) GSM - protocols for second-generation (2G) digital cellular networks used by mobile devices such as mobile phones and tablets. If lots of smart people have failed to solve • Developed in late 1980’s and early 1990’s a problem, then it probably will not be • Over 100 million GSM subscribers by 1998 solved anytime soon. Initially, two voice encryption algorithms: A5/1 – for use in Europe and U.S.A. A5/2 – for use in other countries. Goal: encrypt voice between a cell phone and a base station 9 10 9 10 Breaking ciphers used in GSM (2) Breaking ciphers used in GSM (3) Published attacks Both voice encryption algorithms A5/2 • never published August 1999, Ian Goldberg and David Wagner, U.C. Berkeley • designed and analyzed by the secretive "SAGE" group Number of operations in the attack ~ 216 (part of ETSI – European Telecommunications Standard Institute) A5/1 • A5/1 believed to be based on the modified French May 1999, Jovan Golic naval cipher Number of operations in the attack ~ 240 Both algorithms reverse-engineered by December 1999, Alex Biryukov and Adi Shamir Marc Briceno (Smartcard Developer Association) Less than 1 second on a single PC with 128 MB RAM published by the Berkeley crypto group and two 73 GB hard disks. A5/1 in May 1999, Based on the analysis of the A5/1 output A5/2 in August 1999 during the first two minutes of the conversation. 11 12 11 12 3 Breaking ciphers used in GSM (4) Breaking ciphers used in GSM (5) Recent Attacks Recent Attacks A5/2 A5/3 German computer engineer Karsten Nohl published a 2 TB Crypto conference, August 15-19, 2010 rainbow table which enables deriving a session key for any particular conversation with minimal hardware support. An attack against Kasumi announced by Israeli researchers Orr Dunkelman, Nathan Keller, Adi Shamir. A5/3 Complexity: Published in 2003, based on the Japanese cipher Kasumi. 226 bytes of encrypted data, 230 bytes of memory, 232 operations: single PC, 96-bit key in a few minutes 128-bit key in less then two hours 13 14 13 14 Breaking ciphers used in GSM (5) Breaking ciphers used in GSM (5) Recent Attacks Recent Attacks A5/3 A5/3 Crypto conference, August 15-19, 2010 Crypto conference, August 15-19, 2010 An attack against Kasumi announced by Israeli researchers An attack against Kasumi announced by Israeli researchers Orr Dunkelman, Nathan Keller, Adi Shamir. Orr Dunkelman, Nathan Keller, Adi Shamir. Complexity: Complexity: 226 bytes of encrypted data, 230 bytes of memory, 226 bytes of encrypted data, 230 bytes of memory, 232 operations: 232 operations: single PC, 96-bit key in a few minutes single PC, 96-bit key in a few minutes 128-bit key in less then two hours 128-bit key in less then two hours 15 16 15 16 4 Breaking ciphers used in GSM (6) Mifare Classics Recent Attacks Secret algorithm Crypto-1 developed by NXP Semiconductors, A5/3 used, among the others, in the public transport system cards in 2010 attack is a related-key attack – attacker must be able London (Oyster card), Boston (CharlieCard), Perth (SmartRider), to observe the results of encryptions using keys that have Seoul (T-money), Busan (Mybi), and in Netherlands (OV-Chipkaart) easily broken after successful reverse engineering of the chip. a known relationship. It is not clear that the Kasumi A total of about 1 billion cards all over the world. algorithm (A5/3) is used by the protocol in a way that would allow this attack to succeed. Interestingly, the Kasumi algorithm is closely based on a Mitsubishi algorithm known as MISTY1. MISTY1 is not vulnerable to the 2010 attack… 17 18 17 18 Attacks against Mifare Classics Crypto-1 Dec 2007-Apr 2008 • Proprietary encryption algorithm developed by Ø In 2007, Karsten Nohl and Henryk Plötz reverse engineered NXP Semiconductors MIFARE Classic • The security relies on the secrecy of Crypto-1 algorithm, Ø In 2009, researcher Flavio D. Garcia discovered card only • Pseudo random number generator attack that does not require a valid reader • 48-bit LFSR and two non-linear filter generators Ø In 2009, Nicolas T. Courtois form University College of London discovered an attack that can break Crypto-1 in just 1 second 19 20 19 20 5 SmarTrip SmarTrip Ø The Washington Metropolitan Area Transit Authority • MiFare Plus X (WMATA) SmartTrip card, 1999, the first contactless Ø NXP semiconductors, compatible with MiFare Classic 1K and 4K smartcard for transit in the U.S. Ø SmarTrip card uses MIFARE Plus X version based on 128-bit AES 21 22 21 22 Features required from today’s ciphers PERFORMANCE STRENGTH • software Types of Cryptosystems (1) • hardware Block vs. stream ciphers FUNCTIONALITY • easy key distribution • digital signatures 23 24 23 24 6 Block vs. stream ciphers Typical stream cipher M1, M2, …, Mn m1, m2, …, mn Sender Receiver initialization initialization key vector (seed) key vector (seed) Internal state - IS Block K K Stream cipher Pseudorandom Pseudorandom cipher Keystream Keystream Generator Generator C1, C2, …, Cn c1, c2, …, cn ki keystream ki keystream Ci=fK(Mi) ci = fK(mi, ISi) ISi+1=gK(mi, ISi) m c c Every block of ciphertext i i i mi Every block of ciphertext is a function of the current block plaintext ciphertext ciphertext plaintext is a function of only one of plaintext and the current internal state corresponding block of plaintext of the cipher 25 26 25 26 Classification of cryptosystems Terminology Types of Cryptosystems (2) secret-key public-key symmetric asymmetric Secret-key vs. public-key ciphers symmetric-key 27 28 27 28 7 Secret-key (Symmetric) Cryptosystems Key Distribution Problem key of Alice and Bob - KAB key of Alice and Bob - KAB Network Encryption Decryption Alice Bob Users Keys N · (N-1) N - Users Keys 100 5,000 2 1000 500,000 29 30 29 30 Features of Secret-Key Ciphers Major operations of secret-key ciphers (1) S-box Software Hardware PERFORMANCE C ROM STRENGTH • software S-box n x m n-bit address • hardware WORD S[1<<n]= Best attack: Building blocks: n { 0x23, 0x34, 0x56 Exhaustive-key search Operations easy to . 2n × m 2n words } 2k trials for a k-bit key implement in HW & SW bits S FUNCTIONALITY ASM m-bit output • easy key distribution m • digital signatures S DW 23H, 34H, direct logic 56H y ….. x1 1 ... ... y x2 2 Primary Application: Bulk data encryption ym xn 31 32 31 32 8 Major operations of secret-key ciphers (2) Major operations of secret-key ciphers (3) Variable Rotation Permutation Software Hardware Software Hardware Mux-based rotation A<<<0 A<<<16 x x x x n x1 2 3 n-1 n C C . C = (A << B) | (A >> (32-B)); B[4] complex B[3] P sequence of B[2] instructions B[1] . A <<< B <<, |, & B[0] n 32 y1 y2 y3 yn-1 yn A<<<B ASM variable rotation ASM Permutation ROL32 High-speed clock complex ROL A, B sequence of order of wires A instructions fast clock CLK’ ROL, OR, AND min (B, 32-B) CLK’ cycles 33 34 33 34 Major operations of secret-key ciphers (4) Public-Key (Asymmetric) Cryptosystems Addition/subtraction Software Hardware A B Public key of Bob - KB Private/Secret key of Bob - kB w w C n n unsigned long A, B, C; ADD C = A+B; n ASM n Network C ADD Adder/subtractor Encryption Decryption C=A+B mod 2w Alice Bob w=32, 16 35 36 35 36 9 One-way function Trap-door one-way function X f(X) Y Whitfield Diffie and Martin Hellman “New directions in cryptography,” 1976 f-1(Y) PUBLIC KEY EXAMPLE: f: Y=f(X) = AX mod P X f(X) Y where P and A are constants, P is a large prime, A is an integer smaller than P f-1(Y) Number of bits of P Average number of multiplications necessary to compute f f -1 1000 1500 1030 PRIVATE KEY 37 38 37 38 Key Distribution Digital Signature Alice Bob Alice Bob message message signature signature Bob’s Bob’s Bob’s Alice’s Alice’s Alice’s public private public private public public key key key key key key ciphertext ciphertext message message message signature signature Intruder Judge Bob’s Alice’s Alice’s public Intruder public public key key key ciphertext 39 message message 40 39 40 10 Features of Public-Key Ciphers Basic Operations of RSA Encryption L < k e public key exponent PERFORMANCE STRENGTH • software C = M mod N • hardware ciphertext plaintext public key modulus k-bits Best attack: Building blocks: k-bits k-bits Solving the underlying Complex arithmetic operations on large math problem, such as Decryption L=k factoring of large integers private key integers: FUNCTIONALITY d exponent • easy key distribution Given N=P∙Q, M = C mod N find P and Q.
Load more

Recommended publications
  • Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin
    Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin To cite this version: Alex Biryukov, Gaëtan Leurent, Léo Perrin. Cryptanalysis of Feistel Networks with Secret Round Functions. Selected Areas in Cryptography - SAC 2015, Aug 2015, Sackville, Canada. hal-01243130 HAL Id: hal-01243130 https://hal.inria.fr/hal-01243130 Submitted on 14 Dec 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Cryptanalysis of Feistel Networks with Secret Round Functions ? Alex Biryukov1, Gaëtan Leurent2, and Léo Perrin3 1 [email protected], University of Luxembourg 2 [email protected], Inria, France 3 [email protected], SnT,University of Luxembourg Abstract. Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions. When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called yoyo game which we improved using a heuristic based on particular cycle structures.
    [Show full text]
  • State of the Art in Lightweight Symmetric Cryptography
    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.
    [Show full text]
  • Data Encryption Standard
    Data Encryption Standard The Data Encryption Standard (DES /ˌdiːˌiːˈɛs, dɛz/) is a Data Encryption Standard symmetric-key algorithm for the encryption of electronic data. Although insecure, it was highly influential in the advancement of modern cryptography. Developed in the early 1970s atIBM and based on an earlier design by Horst Feistel, the algorithm was submitted to the National Bureau of Standards (NBS) following the agency's invitation to propose a candidate for the protection of sensitive, unclassified electronic government data. In 1976, after consultation with theNational Security Agency (NSA), the NBS eventually selected a slightly modified version (strengthened against differential cryptanalysis, but weakened against brute-force attacks), which was published as an official Federal Information Processing Standard (FIPS) for the United States in 1977. The publication of an NSA-approved encryption standard simultaneously resulted in its quick international adoption and widespread academic scrutiny. Controversies arose out of classified The Feistel function (F function) of DES design elements, a relatively short key length of the symmetric-key General block cipher design, and the involvement of the NSA, nourishing Designers IBM suspicions about a backdoor. Today it is known that the S-boxes that had raised those suspicions were in fact designed by the NSA to First 1975 (Federal Register) actually remove a backdoor they secretly knew (differential published (standardized in January 1977) cryptanalysis). However, the NSA also ensured that the key size was Derived Lucifer drastically reduced such that they could break it by brute force from [2] attack. The intense academic scrutiny the algorithm received over Successors Triple DES, G-DES, DES-X, time led to the modern understanding of block ciphers and their LOKI89, ICE cryptanalysis.
    [Show full text]
  • Miss in the Middle Attacks on IDEA and Khufu
    Miss in the Middle Attacks on IDEA and Khufu Eli Biham? Alex Biryukov?? Adi Shamir??? Abstract. In a recent paper we developed a new cryptanalytic techni- que based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this paper we describe the application of this technique to the block ciphers IDEA and Khufu. In both cases the new attacks cover more rounds than the best currently known attacks. This demonstrates the power of the new cryptanalytic technique, shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations. 1 Introduction In [5,17] a new cryptanalytic technique based on impossible differentials was proposed, and its application to Skipjack [28] and DEAL [17] was described. In this paper we apply this technique to the IDEA and Khufu cryptosystems. Our new attacks are much more efficient and cover more rounds than the best previously known attacks on these ciphers. The main idea behind these new attacks is a bit counter-intuitive. Unlike tra- ditional differential and linear cryptanalysis which predict and detect statistical events of highest possible probability, our new approach is to search for events that never happen. Such impossible events are then used to distinguish the ci- pher from a random permutation, or to perform key elimination (a candidate key is obviously wrong if it leads to an impossible event). The fact that impossible events can be useful in cryptanalysis is an old idea (for example, some of the attacks on Enigma were based on the observation that letters can not be encrypted to themselves).
    [Show full text]
  • Impossible Differential Cryptanalysis of Reduced Round Hight
    1 IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF APPLIED MATHEMATICS OF MIDDLE EAST TECHNICAL UNIVERSITY BY CIHANG˙ IR˙ TEZCAN IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN CRYPTOGRAPHY JUNE 2009 Approval of the thesis: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT submitted by CIHANG˙ IR˙ TEZCAN in partial fulfillment of the requirements for the degree of Master of Science in Department of Cryptography, Middle East Technical University by, Prof. Dr. Ersan Akyıldız Director, Graduate School of Applied Mathematics Prof. Dr. Ferruh Ozbudak¨ Head of Department, Cryptography Assoc. Prof. Dr. Ali Doganaksoy˘ Supervisor, Mathematics Examining Committee Members: Prof. Dr. Ersan Akyıldız METU, Institute of Applied Mathematics Assoc. Prof. Ali Doganaksoy˘ METU, Department of Mathematics Dr. Muhiddin Uguz˘ METU, Department of Mathematics Dr. Meltem Sonmez¨ Turan Dr. Nurdan Saran C¸ankaya University, Department of Computer Engineering Date: I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name, Last Name: CIHANG˙ IR˙ TEZCAN Signature : iii ABSTRACT IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT Tezcan, Cihangir M.Sc., Department of Cryptography Supervisor : Assoc. Prof. Dr. Ali Doganaksoy˘ June 2009, 49 pages Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive.
    [Show full text]
  • Cryptanalysis of Selected Block Ciphers
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 Cryptanalysis of Selected Block Ciphers Alkhzaimi, Hoda A. Publication date: 2016 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Alkhzaimi, H. A. (2016). Cryptanalysis of Selected Block Ciphers. Technical University of Denmark. DTU Compute PHD-2015 No. 360 General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. Cryptanalysis of Selected Block Ciphers Dissertation Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy at the Department of Mathematics and Computer Science-COMPUTE in The Technical University of Denmark by Hoda A.Alkhzaimi December 2014 To my Sanctuary in life Bladi, Baba Zayed and My family with love Title of Thesis Cryptanalysis of Selected Block Ciphers PhD Project Supervisor Professor Lars R. Knudsen(DTU Compute, Denmark) PhD Student Hoda A.Alkhzaimi Assessment Committee Associate Professor Christian Rechberger (DTU Compute, Denmark) Professor Thomas Johansson (Lund University, Sweden) Professor Bart Preneel (Katholieke Universiteit Leuven, Belgium) Abstract The focus of this dissertation is to present cryptanalytic results on selected block ci- phers.
    [Show full text]
  • Design and Analysis of Lightweight Block Ciphers : a Focus on the Linear
    Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer Christof Beierle Doctoral Dissertation Faculty of Mathematics Ruhr-Universit¨atBochum December 2017 Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer vorgelegt von Christof Beierle Dissertation zur Erlangung des Doktorgrades der Naturwissenschaften an der Fakult¨atf¨urMathematik der Ruhr-Universit¨atBochum Dezember 2017 First reviewer: Prof. Dr. Gregor Leander Second reviewer: Prof. Dr. Alexander May Date of oral examination: February 9, 2018 Abstract Lots of cryptographic schemes are based on block ciphers. Formally, a block cipher can be defined as a family of permutations on a finite binary vector space. A majority of modern constructions is based on the alternation of a nonlinear and a linear operation. The scope of this work is to study the linear operation with regard to optimized efficiency and necessary security requirements. Our main topics are • the problem of efficiently implementing multiplication with fixed elements in finite fields of characteristic two. • a method for finding optimal alternatives for the ShiftRows operation in AES-like ciphers. • the tweakable block ciphers Skinny and Mantis. • the effect of the choice of the linear operation and the round constants with regard to the resistance against invariant attacks. • the derivation of a security argument for the block cipher Simon that does not rely on computer-aided methods. Zusammenfassung Viele kryptographische Verfahren basieren auf Blockchiffren. Formal kann eine Blockchiffre als eine Familie von Permutationen auf einem endlichen bin¨arenVek- torraum definiert werden. Eine Vielzahl moderner Konstruktionen basiert auf der wechselseitigen Anwendung von nicht-linearen und linearen Abbildungen.
    [Show full text]
  • Analysis of Differential Attacks in ARX Constructions. Asiacrypt 2012
    Analysis of Differential Attacks in ARX Constructions Full version of the Asiacrypt 2012 paper Gaëtan Leurent University of Luxembourg – LACS [email protected] Abstract. In this paper, we study differential attacks against ARX schemes. We build upon the generalized characteristics of de Cannière and Rechberger; we introduce new multi-bit constraints to describe differential characteristics in ARX designs more accurately, and quartet constraints to analyze boomerang attacks. We also describe how to propagate those constraints; this can be used either to assist manual construction of a differential characteristic, or to extract more information from an already built characteristic. We show that our new constraints are more precise than what was used in previous works, and can detect more cases of incompatibility. We have developed a set of tools for this analysis of ARX primitives based on this set of constraints. In the hope that this will be useful to other cryptanalysts, our tools are publicly available at http://www.di.ens.fr/~leurent/arxtools.html. As a first application, we show that several published attacks are in fact invalid because the differential characteristics cannot be satisfied. This highlights the importance of verifying differential attacks more thoroughly. Keywords: Symmetric ciphers, Hash functions, ARX, Generalized characteristics, Differ- ential attacks, Boomerang attacks 1 Introduction A popular way to construct cryptographic primitives is the so-called ARX design, where the construction only uses Additions (a b), Rotations (a o i), and Xors (a ⊕ b). These operations are very simple and can be implemented efficiently in software or in hardware, but when mixed together, they interact in complex and non-linear ways.
    [Show full text]
  • The Retracing Boomerang Attack
    The Retracing Boomerang Attack Orr Dunkelman1, Nathan Keller2, Eyal Ronen3;4, and Adi Shamir5 1 Computer Science Department, University of Haifa, Israel [email protected] 2 Department of Mathematics, Bar-Ilan University, Israel [email protected] 3 School of Computer Science, Tel Aviv University, Tel Aviv, Israel [email protected] 4 COSIC, KU Leuven, Heverlee, Belgium 5 Faculty of Mathematics and Computer Science, Weizmann Institute of Science, Israel [email protected] Abstract. Boomerang attacks are extensions of differential attacks, that make it possible to combine two unrelated differential properties of the first and second part of a cryptosystem with probabilities p and q into a new differential-like property of the whole cryptosystem with probability p2q2 (since each one of the properties has to be satisfied twice). In this paper we describe a new version of boomerang attacks which uses the counterintuitive idea of throwing out most of the data (including poten- tially good cases) in order to force equalities between certain values on the ciphertext side. This creates a correlation between the four proba- bilistic events, which increases the probability of the combined property to p2q and increases the signal to noise ratio of the resultant distin- guisher. We call this variant a retracing boomerang attack since we make sure that the boomerang we throw follows the same path on its forward and backward directions. To demonstrate the power of the new technique, we apply it to the case of 5-round AES. This version of AES was repeatedly attacked by a large variety of techniques, but for twenty years its complexity had remained stuck at 232.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
    [Show full text]
  • Cryptanalysis of Reduced Round SKINNY Block Cipher
    Cryptanalysis of Reduced round SKINNY Block Cipher Sadegh Sadeghi1, Tahereh Mohammadi2 and Nasour Bagheri2,3 1 Department of Mathematics, Faculty of Mathematical Sciences and Computer, Kharazmi University, Tehran, Iran, [email protected] 2 Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran, {T.Mohammadi,Nabgheri}@sru.ac.ir 3 School of Computer Science, Institute for Research in Fundamental Sciences (IPM), Tehran, Iran, [email protected] Abstract. SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint. In this paper, we present zero-correlation linear approximations and the related-tweakey impossible differential characteristics for different versions of SKINNY .We utilize Mixed Integer Linear Programming (MILP) to search all zero-correlation linear distinguishers for all variants of SKINNY, where the longest distinguisher found reaches 10 rounds. Using a 9-round characteristic, we present 14 and 18-round zero correlation attacks on SKINNY-64-64 and SKINNY- 64-128, respectively. Also, for SKINNY-n-n and SKINNY-n-2n, we construct 13 and 15-round related-tweakey impossible differential characteristics, respectively. Utilizing these characteristics, we propose 23-round related-tweakey impossible differential cryptanalysis by applying the key recovery attack for SKINNY-n-2n and 19-round attack for SKINNY-n-n. To the best of our knowledge, the presented zero-correlation characteristics in this paper are the first attempt to investigate the security of SKINNY against this attack and the results on the related-tweakey impossible differential attack are the best reported ones. Keywords: SKINNY · Zero-correlation linear cryptanalysis · Related-tweakey impos- sible differential cryptanalysis · MILP 1 Introduction Because of the growing use of small computing devices such as RFID tags, the new challenge in the past few years has been the application of conventional cryptographic standards to small devices.
    [Show full text]
  • An Improved Impossible Differential Attack on MISTY1
    An Improved Impossible Differential Attack on MISTY1 Orr Dunkelman1,⋆ and Nathan Keller2,⋆⋆ 1 Ecole´ Normale Sup´erieure D´epartement d’Informatique, CNRS, INRIA 45 rue d’Ulm, 75230 Paris, France. [email protected] 2Einstein Institute of Mathematics, Hebrew University. Jerusalem 91904, Israel [email protected] Abstract. MISTY1 is a Feistel block cipher that received a great deal of cryptographic attention. Its recursive structure, as well as the added FL layers, have been successful in thwarting various cryptanalytic tech- niques. The best known attacks on reduced variants of the cipher are on either a 4-round variant with the FL functions, or a 6-round variant without the FL functions (out of the 8 rounds of the cipher). In this paper we combine the generic impossible differential attack against 5-round Feistel ciphers with the dedicated Slicing attack to mount an attack on 5-round MISTY1 with all the FL functions with time com- plexity of 246.45 simple operations. We then extend the attack to 6- round MISTY1 with the FL functions present, leading to the best known cryptanalytic result on the cipher. We also present an attack on 7-round MISTY1 without the FL layers. 1 Introduction MISTY1 [10] is a 64-bit block cipher with presence in many cryptographic stan- dards and applications. For example, MISTY1 was selected to be in the CRYP- TREC e-government recommended ciphers in 2002 and in the final NESSIE portfolio of block ciphers, as well as an ISO standard (in 2005). MISTY1 has a recursive Feistel structure, where the round function is in itself (very close to) a 3-round Feistel construction.
    [Show full text]