DOCSLIB.ORG

Secure Block Ciphers - Cryptanalysis and Design

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

View metadata,Downloaded citation and from similar orbit.dtu.dk papers on:at core.ac.uk Dec 18, 2017 brought to you by CORE provided by Online Research Database In Technology Secure Block Ciphers - Cryptanalysis and Design Tiessen, Tyge; Rechberger, Christian; Knudsen, Lars Ramkilde Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Tiessen, T., Rechberger, C., & Knudsen, L. R. (2017). Secure Block Ciphers - Cryptanalysis and Design. Kgs. Lyngby: Technical University of Denmark (DTU). (DTU Compute PHD-2016; No. 412). General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. Secure Block Ciphers Cryptanalysis and Design Tyge Tiessen Ph.D. Thesis April 2016 Document compiled on April 25, 2016. Supervisor: Christian Rechberger Co-supervisor: Lars R. Knudsen Technical University of Denmark Department of Applied Mathematics and Computer Science ISSN: 0909-3192 Serial no.: PHD-2016-412 Abstract The rapid evolution of computational devices and the widespread adoption of digital communication have deeply transformed the way we conduct both business and everyday life and they continue to do so. The ability to ensure confidentiality and integrity of information sent over digital channels is fundamental to this development and is absolutely essential for all private and corporate communication, ranging from bank transactions, digital citizen services, and remote computer access, to cell phone calls and instant messaging. The vast majority of secured data sent over all types of networks is encrypted using so-called symmetric ciphers. The security of our digital infrastructure thus rests at its very base on their security. The central topic of this thesis is the security of block ciphers – the most prominent form of symmetric ciphers. This thesis is separated in two parts. The first part is an introduction to block ciphers and their cryptanalysis, the second part contains publications written and published during the PhD studies. The first publication evaluates the security of a modification of the AES in which the choice of S-box is unknown to the attacker. We find that some of the attacks that can be applied to the AES can be transferred to this block cipher, albeit with a higher attack complexity. The second publication introduces a new block cipher family which is targeted for new applications in fully homomorphic encryption and multi-party computation. We demonstrate the soundness of the design and its superior performance in these applications. The third publication treats the cryptanalysis of Simon, a cipher proposed by the NSA. In particular we discuss how the methods of differential and linear cryptanalysis can correctly be applied to ciphers of this type. The fourth publication introduces a cryptanalytic framework which generalizes differential cryptanalysis. We demonstrate that attacks based on impossible transitions in this framework can competitively break round-reduced block ciphers in the low-data setting. i Resumé Den hurtige og fortsatte udvikling af beregningsenheder og den udbredte overgang til digital kommunikation har fundamentalt ændret den måde, hvorpå vi gør forretning og begår os i hverdagen. Evnen til at sikre fortrolighed og integritet af den information, vi sender via digitale kommunikationskanaler, er fundamental for denne udvikling og er absolut essentiel for al privat og forretningsmæssig kommunikation, spændende over alt fra bankoverførsler, digitale offentlige tjenester og fjernadgang til computere, til mobiltelefonsamtaler og chatbeskeder. Langt størstedelen af sikret data, der bliver sendt over alle typer netværk, er krypteret med såkaldte symmetriske ciphers. Vores digitale infrastrukturs sikkerhed hviler således grundlæggende på sikkerheden af disse. Hovedemnet for denne afhandling er sikkerheden af block ciphers – den mest anvendte type af symmetriske ciphers. Afhandlingen består af to dele. Den første del er en introduktion til block ciphers og kryptoanalyse af disse, mens den anden del består af publikationer skrevet og udgivet under Ph.d.-studierne. Den første publikation undersøger sikkerheden af en modificeret udgave af AES, hvor valget af S-box ikke er kendt af angriberen. Vi konkluderer, at nogle angreb på AES kan overføres til denne block cipher, dog med en forhøjet angrebskompleksitet. Den anden publikation introducerer en ny type block cipher, som er målrettet nye anvendelser inden for fuldstændigt homomorfisk kryptering og multi-party beregninger. Vi demonstrerer designets korrekthed og overlegne ydeevne i disse anvendelser. Den tredje publikation omhandler kryptoanalyse af Simon, en block cipher udviklet af NSA. Navnligt diskuterer vi, hvordan differential og linear kryptoanalyse korrekt kan anvendes på denne type cipher. Den fjerde publikation introducerer en type kryptoanalyse som generaliserer differential kryptoanalyse. Vi viser, at angreb baseret på umulige overgange i denne type kryptoanalyse kan bruges til vellykket at angribe block ciphers. iii Zusammenfassung Rasante Fortschritte in der Computerentwicklung und die umfassende Ausbreitung digigitaler Kommunikationsmittel haben tiefgreifende Veränderungen sowohl im Wirtschafts- als auch im Alltagsleben nach sich gezogen, die unvermindert andauern. In dieser Entwicklung spielt die Fähigkeit, die Vertraulichkeit und Unversehrtheit von Information, die über digitale Kanäle gesendet wird, zu gewährleisten, eine Schlüs- selrolle. Sie ist grundlegend für jegliche private und kommerzielle Kommunikation, sei es Onlinebanking, Fernwartung, Handytelefonante oder Chatprogramme. Die große Mehrheit der gesicherten Daten, die über alle Arten von Netzwerken geschickt werden, wird verschlüsselt mithilfe von sogenannten symmetrischen Chiffren. Somit bildet die Sicherheit dieser Chiffren das Fundament der Sicherheit unserer digitalen Infrastruktur. Den zentralen Gegenstand dieser Dissertation bildet die Sicherheit von Blockchif- fren – die bedeutendste Art von symmetrischen Chiffren. Diese Arbeit ist in zwei Teile aufgeteilt. Den ersten Teil bildet eine kurze Einführung zu Blockchiffren und ihrer Kryptanalyse. Der zweite Teil enthält Veröffentlichungen, die im Rahmen der Promotion entstanden und veröffentlich wurden. Die erste Veröffentlichung unter- sucht die Sicherheit einer Abwandlung des AES, in dem die Spezifierung der S-Box dem Angreifer unbekannt ist. Wie sich zeigt, lassen sich einige der Angriffe auf AES auch auf diese Variante übertragen, allerdings zulasten des Zeitaufwandes des Angriffs. Die zweite Veröffentlichung führt eine neue Familie von Blockchiffren ein, die speziell für den Einsatz in Protokollen, die sicheres verteiltes Rechnen oder voll- ständig homomorphe Verschlüsselung benutzen, entwickelt wurde. Wir zeigen, dass diese Chiffrenfamilie Sicherheit bei gleichzeitig höherer Leistungsfähigkeit in diesen Protokollen möglich macht. Die dritte Veröffentlichung behandelt die Kryptanalyse der NSA-Chiffre Simon. Insbesondere wird diskutiert, wie die Methoden der differen- tiellen und linearen Kryptanalyse auf Chiffren dieser Art korrekt angewandt werden können. Die vierte Veröffentlichung führt einen neuen Typus von Kryptanalyse ein, der eine Verallgemeinerung der differentiellen Kryptanalyse darstellt. Es wird ge- zeigt, dass Attacken, die auf unmöglichen Übergängen in dieser erweiterten Struktur fußen, beim Brechen rundenreduzierter Blockchiffren mit geringem Datenaufwand konkurrenzfähig sind. v Acknowledgements I truly enjoyed my time as a Ph.D. student. I am aware that this is to the smallest part my own accomplishment and I would like to take this opportunity to express my gratitude to those who made this such a pleasant experience. First of all, I would like to thank my supervisor, Christian Rechberger who was always available for guidance and support while leaving me freedom to pursue research ideas of my own. Thank you for your encouragement and patience. I would also like to thank Lars Ramkilde Knudsen, my co-supervisor, for managing a great research group and even more so for being a source of inspiration, having an open door, and putting things into perspective. This gratitude naturally extends to all current and former members of our research section: Mohamed Ahmed Abdelraheem, Martin R. Albrecht, Hoda A. Alkhzaimi, Subhadeep Banik, Andrey Bogdanov, Christina Boura, Christian D. Jensen, Stefan Kölbl, Martin M. Lauridsen, Christiane Peters, Arnab Roy, Elmar Tischhauser, and Philip Vejre. All of you helped to make this a wonderful and inspiring research group to be in. I particularly would like to thank Martin and Stefan for their humor, endless discussions, distractions, enthusiasm, coffee, and beers. I also thank Joan Daemen and Vincent Rijmen for joining the defense committee and Christian D. Jensen for chairing it. I would like to thank Gregor Leander for his hospitality
Recommended publications
  • Cryptographic Sponge Functions

    Cryptographic Sponge Functions

    Cryptographic sponge functions Guido B1 Joan D1 Michaël P2 Gilles V A1 http://sponge.noekeon.org/ Version 0.1 1STMicroelectronics January 14, 2011 2NXP Semiconductors Cryptographic sponge functions 2 / 93 Contents 1 Introduction 7 1.1 Roots .......................................... 7 1.2 The sponge construction ............................... 8 1.3 Sponge as a reference of security claims ...................... 8 1.4 Sponge as a design tool ................................ 9 1.5 Sponge as a versatile cryptographic primitive ................... 9 1.6 Structure of this document .............................. 10 2 Definitions 11 2.1 Conventions and notation .............................. 11 2.1.1 Bitstrings .................................... 11 2.1.2 Padding rules ................................. 11 2.1.3 Random oracles, transformations and permutations ........... 12 2.2 The sponge construction ............................... 12 2.3 The duplex construction ............................... 13 2.4 Auxiliary functions .................................. 15 2.4.1 The absorbing function and path ...................... 15 2.4.2 The squeezing function ........................... 16 2.5 Primary aacks on a sponge function ........................ 16 3 Sponge applications 19 3.1 Basic techniques .................................... 19 3.1.1 Domain separation .............................. 19 3.1.2 Keying ..................................... 20 3.1.3 State precomputation ............................ 20 3.2 Modes of use of sponge functions .........................
  • The SKINNY Family of Block Ciphers and Its Low-Latency Variant MANTIS (Full Version)

    The SKINNY Family of Block Ciphers and Its Low-Latency Variant MANTIS (Full Version)

    The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS (Full Version) Christof Beierle1, J´er´emy Jean2, Stefan K¨olbl3, Gregor Leander1, Amir Moradi1, Thomas Peyrin2, Yu Sasaki4, Pascal Sasdrich1, and Siang Meng Sim2 1 Horst G¨ortzInstitute for IT Security, Ruhr-Universit¨atBochum, Germany [email protected] 2 School of Physical and Mathematical Sciences Nanyang Technological University, Singapore [email protected], [email protected], [email protected] 3 DTU Compute, Technical University of Denmark, Denmark [email protected] 4 NTT Secure Platform Laboratories, Japan [email protected] Abstract. We present a new tweakable block cipher family SKINNY, whose goal is to compete with NSA recent design SIMON in terms of hardware/software perfor- mances, while proving in addition much stronger security guarantees with regards to differential/linear attacks. In particular, unlike SIMON, we are able to provide strong bounds for all versions, and not only in the single-key model, but also in the related-key or related-tweak model. SKINNY has flexible block/key/tweak sizes and can also benefit from very efficient threshold implementations for side-channel protection. Regarding performances, it outperforms all known ciphers for ASIC round-based implementations, while still reaching an extremely small area for serial implementations and a very good efficiency for software and micro-controllers im- plementations (SKINNY has the smallest total number of AND/OR/XOR gates used for encryption process). Secondly, we present MANTIS, a dedicated variant of SKINNY for low-latency imple- mentations, that constitutes a very efficient solution to the problem of designing a tweakable block cipher for memory encryption.
  • Modes of Operation for Compressed Sensing Based Encryption

    Modes of Operation for Compressed Sensing Based Encryption

    Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc
  • BRISK: Dynamic Encryption Based Cipher for Long Term Security

    BRISK: Dynamic Encryption Based Cipher for Long Term Security

    sensors Article BRISK: Dynamic Encryption Based Cipher for Long Term Security Ashutosh Dhar Dwivedi Cyber Security Section, Department of Applied Mathematics and Computer Science, Technical University of Denmark, 2800 Kgs. Lyngby, Denmark; [email protected] or [email protected] Abstract: Several emerging areas like the Internet of Things, sensor networks, healthcare and dis- tributed networks feature resource-constrained devices that share secure and privacy-preserving data to accomplish some goal. The majority of standard cryptographic algorithms do not fit with these constrained devices due to heavy cryptographic components. In this paper, a new block cipher, BRISK, is proposed with a block size of 32-bit. The cipher design is straightforward due to simple round operations, and these operations can be efficiently run in hardware and suitable for software. Another major concept used with this cipher is dynamism during encryption for each session; that is, instead of using the same encryption algorithm, participants use different ciphers for each session. Professor Lars R. Knudsen initially proposed dynamic encryption in 2015, where the sender picks a cipher from a large pool of ciphers to encrypt the data and send it along with the encrypted message. The receiver does not know about the encryption technique used before receiving the cipher along with the message. However, in the proposed algorithm, instead of choosing a new cipher, the process uses the same cipher for each session, but varies the cipher specifications from a given small pool, e.g., the number of rounds, cipher components, etc. Therefore, the dynamism concept is used here in a different way.
  • Truncated Differential Analysis of Round-Reduced Roadrunner

    Truncated Differential Analysis of Round-Reduced Roadrunner

    Truncated Differential Analysis of Round-Reduced RoadRunneR Block Cipher Qianqian Yang1;2;3, Lei Hu1;2;??, Siwei Sun1;2, Ling Song1;2 1State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China 2Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing 100093, China 3University of Chinese Academy of Sciences, Beijing 100049, China {qqyang13,hu,swsun,lsong}@is.ac.cn Abstract. RoadRunneR is a small and fast bitslice lightweight block ci- pher for low cost 8-bit processors proposed by Adnan Baysal and S¨ahap S¸ahin in the LightSec 2015 conference. While most software efficient lightweight block ciphers lacking a security proof, RoadRunneR's secu- rity is provable against differential and linear attacks. RoadRunneR is a Feistel structure block cipher with 64-bit block size. RoadRunneR-80 is a vision with 80-bit key and 10 rounds, and RoadRunneR-128 is a vision with 128-bit key and 12 rounds. In this paper, we obtain 5-round truncated differentials of RoadRunneR-80 and RoadRunneR-128 with probability 2−56. Using the truncated differentials, we give a truncated differential attack on 7-round RoadRunneR-128 without whitening keys with data complexity of 255 chosen plaintexts, time complexity of 2121 encryptions and memory complexity of 268. This is first known attack on RoadRunneR block cipher. Keywords: Lightweight, Block Cipher, RoadRunneR, Truncated Dif- ferential Cryptanalysis 1 Introduction Recently, lightweight block ciphers, which could be widely used in small embed- ded devices such as RFIDs and sensor networks, are becoming more and more popular.
  • Improved Side Channel Attack on the Block Cipher NOEKEON

    Improved Side Channel Attack on the Block Cipher NOEKEON

    Improved side channel attack on the block cipher NOEKEON Changyong Peng a Chuangying Zhu b Yuefei Zhu a Fei Kang a aZhengzhou Information Science and Technology Institute,Zhengzhou, China, Email: [email protected],[email protected],[email protected],k [email protected] bSchool of Computer and Control, Guillin University of Electronic Technology, Guilin, China Abstract NOEKEON is a block cipher having key-size 128 and block size 128,proposed by Daemen, J et al.Shekh Faisal Abdul-Latip et al. give a side channel attack(under the single bit leakage model) on the cipher at ISPEC 2010.Their analysis shows that one can recover the 128-bit key of the cipher, by considering a one-bit information leakage from the internal state after the second round, with time complexity of O(268) evaluations of the cipher, and data complexity of about 210 chosen plaintexts.Our side channel attack improves upon the previous work of Shekh Faisal Abdul-Latip et al. from two aspects. First, we use the Hamming weight leakage model(Suppose the Hamming weight of the lower 64 bits and the higher 64 bits of the output of the first round can be obtained without error) which is a more relaxed leakage assumption, supported by many previously known practical results on side channel attacks, compared to the more challenging leakage assumption that the adversary has access to the ”exact” value of the internal state bits as used by Shekh Faisal Abdul-Latip et al. Second, our attack has also a reduced complexity compared to that of Shekh Faisal Abdul-Latip et al.
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1

    Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1

    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
  • Related-Key Impossible Boomerang Cryptanalysis on Lblock-S

    Related-Key Impossible Boomerang Cryptanalysis on Lblock-S

    KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS VOL. 13, NO. 11, Nov. 2019 5717 Copyright ⓒ 2019 KSII Related-key Impossible Boomerang Cryptanalysis on LBlock-s Min Xie*, Qiya Zeng State Key Laboratory of Integrated Service Networks, Xidian University Xi’an 710071, China [e-mail: [email protected], [email protected]] *Corresponding author: Min Xie Received March 26, 2018; revised April 2, 2019; accepted May 3, 2019; published November 30, 2019 Abstract LBlock-s is the core block cipher of authentication encryption algorithm LAC, which uses the same structure of LBlock and an improved key schedule algorithm with better diffusion property. Using the differential properties of the key schedule algorithm and the cryptanalytic technique which combines impossible boomerang attacks with related-key attacks, a 15-round related-key impossible boomerang distinguisher is constructed for the first time. Based on the distinguisher, an attack on 22-round LBlock-s is proposed by adding 4 rounds on the top and 3 rounds at the bottom. The time complexity is about only 2 . 22-round encryptions and the data complexity is about 2 chosen plaintexts. Compared68 76 with published cryptanalysis results on LBlock-s, there has58 been a sharp decrease in time complexity and an ideal data complexity. Keywords: LBlock-s, lightweight block cipher, related-key, impossible differential, boomerang cryptanalysis This research was supported in part by the National Key Research and Development Program of China (Grant No. 2016YFB0800601) and Key Program of NSFC-Tongyong Union Foundation (Grant No. U1636209). http://doi.org/10.3837/tiis.2019.11.024 ISSN : 1976-7277 5718 Min Xie & Qiya Zeng: Related-key Impossible Boomerang Cryptanalysis on LBlock-s 1.
  • Impossible Differential Cryptanalysis of Reduced Round Hight

    Impossible Differential Cryptanalysis of Reduced Round Hight

    1 IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF APPLIED MATHEMATICS OF MIDDLE EAST TECHNICAL UNIVERSITY BY CIHANG˙ IR˙ TEZCAN IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN CRYPTOGRAPHY JUNE 2009 Approval of the thesis: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT submitted by CIHANG˙ IR˙ TEZCAN in partial fulfillment of the requirements for the degree of Master of Science in Department of Cryptography, Middle East Technical University by, Prof. Dr. Ersan Akyıldız Director, Graduate School of Applied Mathematics Prof. Dr. Ferruh Ozbudak¨ Head of Department, Cryptography Assoc. Prof. Dr. Ali Doganaksoy˘ Supervisor, Mathematics Examining Committee Members: Prof. Dr. Ersan Akyıldız METU, Institute of Applied Mathematics Assoc. Prof. Ali Doganaksoy˘ METU, Department of Mathematics Dr. Muhiddin Uguz˘ METU, Department of Mathematics Dr. Meltem Sonmez¨ Turan Dr. Nurdan Saran C¸ankaya University, Department of Computer Engineering Date: I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name, Last Name: CIHANG˙ IR˙ TEZCAN Signature : iii ABSTRACT IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT Tezcan, Cihangir M.Sc., Department of Cryptography Supervisor : Assoc. Prof. Dr. Ali Doganaksoy˘ June 2009, 49 pages Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive.
  • New Cryptanalysis of Block Ciphers with Low Algebraic Degree

    New Cryptanalysis of Block Ciphers with Low Algebraic Degree

    New Cryptanalysis of Block Ciphers with Low Algebraic Degree Bing Sun1,LongjiangQu1,andChaoLi1,2 1 Department of Mathematics and System Science, Science College of National University of Defense Technology, Changsha, China, 410073 2 State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, China, 10039 happy [email protected], ljqu [email protected] Abstract. Improved interpolation attack and new integral attack are proposed in this paper, and they can be applied to block ciphers using round functions with low algebraic degree. In the new attacks, we can determine not only the degree of the polynomial, but also coefficients of some special terms. Thus instead of guessing the round keys one by one, we can get the round keys by solving some algebraic equations over finite field. The new methods are applied to PURE block cipher successfully. The improved interpolation attacks can recover the first round key of 8-round PURE in less than a second; r-round PURE with r ≤ 21 is breakable with about 3r−2 chosen plaintexts and the time complexity is 3r−2 encryptions; 22-round PURE is breakable with both data and time complexities being about 3 × 320. The new integral attacks can break PURE with rounds up to 21 with 232 encryptions and 22-round with 3 × 232 encryptions. This means that PURE with up to 22 rounds is breakable on a personal computer. Keywords: block cipher, Feistel cipher, interpolation attack, integral attack. 1 Introduction For some ciphers, the round function can be described either by a low degree polynomial or by a quotient of two low degree polynomials over finite field with characteristic 2.
  • Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on Round-Reduced

    Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on Round-Reduced

    Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on round-reduced AES Lorenzo Grassi IAIK, Graz University of Technology, Austria [email protected] Abstract. At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES - based on the “multiple-of-8” property - has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems rather hard to implement a key-recovery attack different than brute-force like using such a distinguisher. In this paper we introduce “Mixture Differential Cryptanalysis” on round-reduced AES- like ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds). Given a pair of chosen plaintexts, the idea is to construct new pairs of plaintexts by mixing the generating variables of the original pair of plaintexts. Here we theoretically prove that for 4-round AES the corresponding ciphertexts of the original pair of plaintexts lie in a particular subspace if and only if the corresponding pairs of ciphertexts of the new pairs of plaintexts have the same property. Such secret-key distinguisher - which is independent of the secret-key, of the details of the S-Box and of the MixColumns matrix (except for the branch number equal to 5) - can be used as starting point to set up new key-recovery attacks on round-reduced AES. Besides a theoretical explanation, we also provide a practical verification both of the distinguisher and of the attack. As a second contribution, we show how to combine this new 4-round distinguisher with a modified version of a truncated differential distinguisher in order to set up new 5-round distinguishers, that exploit properties which are independent of the secret key, of the details of the S-Box and of the MixColumns matrix.
  • 1 Introduction

    1 Introduction

    A pictorial illustration of conventional cryptography Lars Ramkilde Knudsen March 1993 Abstract In this pap er we consider conventional cryptosystems. We illus- trate the di erences b etween substitution, transp osition and pro duct ciphers by showing encryptions of a highly redundant cleartext, a p or- trait. Also it is pictorially demonstrated that no conventional cryp- tosystem in its basic mo de provides sucient security for redundant cleartexts. 1 Intro duction The history of cryptography is long and go es back at least 4,000 years to the Egyptians, who used hieroglyphic co des for inscription on tombs [2]. Since then many ciphers have b een develop ed and used. Many of these old ciphers are much to o weak to be used in applications to day, b ecause of the tremendous progress in computer technology. Until 1977 all ciphers were so-called one-key ciphers or conventional ciphers. In these ciphers the keys for encryption and decryption are identical or easily derived from each other. In 1977 Die and Hellman intro duced two-key ciphers or public-key ciphers, where the knowledge of one key gives no knowledge ab out the other key. In this pap er we consider only conventional ciphers. We divide these ciphers into three groups: Substitution Ciphers, Itansp osition Ciphers and Pro duct Ciphers. For each group we consider a sp eci c cipher and give a pictorial 1 illustration of an encryption. Finally we give an illustration that the strong conventional cipher, DES, in its basic mo de is insucient to ensure protection when used on a large plaintext.