Cryptanalysis of Selected Block Ciphers
Total Page:16
File Type:pdf, Size:1020Kb
Downloaded from orbit.dtu.dk on: Sep 24, 2021 Cryptanalysis of Selected Block Ciphers Alkhzaimi, Hoda A. Publication date: 2016 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Alkhzaimi, H. A. (2016). Cryptanalysis of Selected Block Ciphers. Technical University of Denmark. DTU Compute PHD-2015 No. 360 General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. Cryptanalysis of Selected Block Ciphers Dissertation Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy at the Department of Mathematics and Computer Science-COMPUTE in The Technical University of Denmark by Hoda A.Alkhzaimi December 2014 To my Sanctuary in life Bladi, Baba Zayed and My family with love Title of Thesis Cryptanalysis of Selected Block Ciphers PhD Project Supervisor Professor Lars R. Knudsen(DTU Compute, Denmark) PhD Student Hoda A.Alkhzaimi Assessment Committee Associate Professor Christian Rechberger (DTU Compute, Denmark) Professor Thomas Johansson (Lund University, Sweden) Professor Bart Preneel (Katholieke Universiteit Leuven, Belgium) Abstract The focus of this dissertation is to present cryptanalytic results on selected block ci- phers. Block ciphers are the mathematical structure that will take a plaintext message and convert it into a ciphertext one block at a time using a secret key. They play an essential role in many cryptographic architectures and frameworks. For a long time they were known as the main building block that will provide confidentiality in an informa- tion system. They would also be able to represent a full spectrum of cryptographic services as many block ciphers can be used to construct stream ciphers, hash functions, pseudorandom number generators, and authenticated encryption designs. For this reason a multitude of initiatives over the years has been established to provide a secure and sound designs for block ciphers as in the calls for Data Encryption Standard (DES) and Advanced Encryption Standard (AES), lightweight ciphers initiatives, and the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR). In this thesis, we first present cryptanalytic results on different ciphers. We propose attack named the Invariant Subspace Attack. It is utilized to break the full block cipher PRINTcipher for a significant fraction of its keys. This new attack also gives us new insights into other, more well-established attacks. In addition, we also show that for weak keys, strongly biased linear approximations exists for any number of rounds. Furthermore, we provide variety of attacks on the family of lightweight block cipher SIMON that was published by the U.S National Security Agency (NSA). The ciphers are developed with optimization towards both hardware and software in mind. While the specification paper discusses design requirements and performance of the presented lightweight ciphers thoroughly, no security assessment is given. We present a series of observations on the presented construction that, in some cases, yield attacks, while in other cases may provide basis of further analysis by the cryptographic community. Specifically, The attacks obtained are using classical- as well as truncated differentials. In addition to that, we also investigate the security of SIMON against different linear 2 cryptanalysis methods, i.e., classic linear,and linear hull attacks. we present a con- nection between linear characteristic and differential characteristic, multiple linear and differential and linear hull and differential, and employ it to adapt the current known results on differential cryptanalysis of SIMON to linear cryptanalysis results. Finally, we investigate links between different methods of cryptanalysis and how they can be utilized for block cipher cryptanalysis. We consider the known results on the links among integral, impossible differential and zero-correlation linear hulls in order to prove that constructing a zero-correlation linear hull always implies the existence of an integral distinguisher. Moreover, we show that constructing zero-correlation linear hull on a Feistel structure with SP -type round functions, where P is a binary matrix, is equivalent to constructing impossible differential on the same structure except that P is substituted by the transposed matrix P T . We present an integral distinguishers of 5- round Feistel structure with bijective round functions and 3-round Feistel structure with round functions not necessarily being bijective. In addition to an integral distinguishers of Camellia so far, i.e., 7-round integral distinguishers of Camellia with F L/F L−1 layer and 8-round integral distinguishers of Camellia without F L/F L−1 layer. 3 4 Abstrakt (in Danish) Fokus for denne afhandling er at præsentere kryptoanalytiske resultater p˚audvalgte blokciphers. Block ciphers er den matematiske struktur, der tager en klartekstmed- delelse og konverterer den til en ciphertext ´en blok ad gangen ved hjælp af en hemmelig nøgle. De spiller en væsentlig rolle i mange kryptografiske arkitekturer og systemer. I lang tid var de kendt som den vigtigste byggesten, der giver fortrolighed i et informa- tionssystem. De er ogs˚ai stand til at repræsentere et fuldt spektrum af kryptografiske tjenester da blok ciphers kan bruges til at konstruere stream ciphers, hash funktioner, pseudo tilfældige tal generatorer, message authentication codes (MLA), og autentifi- cerede krypteringsdesign. Af denne grund er der etableret en lang række initiativer i ˚arenes løb at skabe et sikkert og sundt design til block ciphers som i datakrypteringsstan- dard DES og Advanced Encryption Standard (AES), flere s˚akaldte letvægtsciphers, og i konkurrencen om "Authenticated Encryption": Security, Applicability, and Robustness (CAESAR). Det første fokus for denne afhandling er at præsentere kryptoanalytiske re- sultater p˚aforskellige ciphers. Vi foresl˚ar et nyt angreb navngivet "Invariant Subspace Attack". Det anvendes til at bryde blockcipheret "PRINTcipher" for en betydelig del af nøglerummet. Dette nye angreb giver os ogs˚any indsigter i andre, mere veletablerede angreb. Vi udleder en afkortet differential karakteristisk med en runde-uafhængig men yderst nøgle-afhængig sandsynlighed. Derudover viser vi ogs˚a, at for svage nøgler, ek- sisterer der stærkt ikke-tilfældige lineære tilnærmelser for et vilk˚arligt antal runder. I denne forstand opfører PRINTcipher sig meget forskelligt fra hvad der sædvanligvis an- tages. Derudover tilbyder vi mange forskellige angreb p˚aletvægtsblockcipher-familien SIMON, som blev offentliggjort af det amerikanske National Security Agency (NSA). De ciphers er udviklet med optimering for b˚ade hardware og software i tankerne. Medens specifikationen af familien diskuterer krav design og ydeevne af de præsenterede letvægts ciphers grundigt, er der ingen sikkerhedsvurdering angivet. Vi præsenterer en serie af bemærkninger af konstruktionen, der, i nogle tilfælde, muliggør angreb, mens de i an- dre tilfælde kan tilvejebringe grundlaget for yderligere analyse af det kryptografiske samfund. Specifikt er angrebene opn˚aet ved anvendelse af klassiske- samt trunkerede 5 differentialer. Hertil kommer, at vi ogs˚aundersøger sikkerheden af SIMON mod forskel- lige lineære kryptoanalyse metoder, dvs., klassisk lineær, multi-lineær og lineære "hull" angreb. Vi præsenterer en forbindelse mellem en lineær karakteristik og en differential karakteristisk, multilineære og lineære "hull" angreb, og anvender dette til at tilpasse sig de nuværende kendte resultater p˚adifferential kryptoanalyse af SIMON til lineære kryptoanalyse resultater. Det andet fokus i denne afhandling er at undersøge nærmere forbindelser mellem de forskellige metoder af kryptoanalyse og hvordan de kan udnyttes til blockcipher kryp- toanalyse. Vi betragter de kendte resultater p˚ade links mellem integraler, umulige dif- ferentialer og nul- korrelation lineære "hull" med henblik p˚aat bevise, at konstruktion af en nul-korrelation for lineære "hull" altid indebærer eksistensen af en "integral distin- guisher". Endvidere viser vi, at konstruktion af en nul-korrelation lineær "hull" p˚aen Feistel struktur af SP typen, hvor P er en binær matrix, svarer til at konstruere umuligt differentiale p˚asamme struktur bortset fra, at P er substitueret med den transponerede matrix. Derudover, ved hjælp af de nyligt etablerede forbindelser er de følgende resul- tater opn˚aet: • Den første kendte "integral distinguisher" af 5-runders Feistel struktur med bijek- tive runde funktioner og 3-runders Feistel struktur med runde funktioner, der ikke nødvendigvis er bijektive. • De bedst kendte "integral distinguishers" af Camellia hidtil, dvs. 7-runders "inte- gral distinguishers" af Camellia med FL/FL-1 lagene og 8-runders "integral dis- tinguishers" af Camellia uden FL/FL-1 lagene.