DOCSLIB.ORG

Using Constraint Programming to Solve a Cryptanalytic Problem∗

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Using Constraint Programming to Solve a Cryptanalytic Problem∗ Proceedings of the Twenty-Sixth International Joint Conference on Artificial Intelligence (IJCAI-17) Using Constraint Programming to Solve a Cryptanalytic Problem∗ David Gerault(1), Marine Minier(2), and Christine Solnon(3) (1) Universite´ Clermont Auvergne, LIMOS, France (2) Universite´ de Lorraine, LORIA, UMR 7503, F-54506, France (3) Universite´ de Lyon, INSA-Lyon, F-69621, LIRIS, CNRS UMR5205, France [email protected], [email protected], [email protected] Abstract graph traversal approach [Fouque et al., 2013], and a Branch & Bound approach [Biryukov and Nikolic, 2010]. The ap- We describe Constraint Programming (CP) models proach of [Fouque et al., 2013] requires about 60 GB of mem- to solve a cryptanalytic problem: the chosen key ory when the key has 128 bits, and it has not been extended differential attack against the standard block cipher to larger keys. The approach of [Biryukov and Nikolic, 2010] AES. We show that CP solvers are able to solve only takes several megabytes of memory, but it requires sev- these problems quicker than dedicated cryptanaly- eral days of computation when the key has 128 bits, and sev- sis tools, and we prove that a solution claimed to eral weeks when the key has 192 bits. be optimal in two recent cryptanalysis papers is not During the process of designing new ciphers, this search optimal by providing a better solution. generally needs to be performed several times, so it is desir- able that it can be done rather quickly. Another point that 1 Introduction should not be neglected is the time needed to design and im- plement these approaches: To ensure that the computation is Since 2001, AES (Advanced Encryption Standard) is the en- completed within a “reasonable” amount of time, it is neces- cryption standard for block ciphers [FIPS 197, 2001]. It sary to reduce the branching by introducing clever reasoning. guarantees communication confidentiality by using a secret Of course, this hard task is also likely to introduce bugs, and key K to encode an original plaintext X into a ciphertext checking the correctness or the optimality of the computed AESK (X), in such a way that the ciphertext can further solutions may not be so easy. Finally, reproducibility may be decoded into the original one using the same key, i.e., also be an issue. Other researchers may want to adapt these −1 X = AESK (AESK (X)). Cryptanalysis aims at testing algorithms to other problems, with some common features whether confidentiality is actually guaranteed. In particular, but also some differences, and this may again be very diffi- differential cryptanalysis [Biham and Shamir, 1991] evalu- cult and time-consuming. ates whether it is possible to find the key within a reasonable In [Gerault et al., 2016], we proposed to use Constraint number of trials by considering plaintext pairs (X; X0) and Programming (CP) to solve this problem. When using CP studying the propagation of the initial difference X ⊕ X0 be- to solve a problem, one simply has to model the problem by tween X and X0 while going through the ciphering process means of constraints. Then, this model is solved by generic (where ⊕ is the xor operator). Today, differential cryptanaly- solvers usually based on a Branch & Propagate approach: sis is public knowledge, and block ciphers such as AES have The search space is explored by building a search tree, and proven bounds against differential attacks. Hence, [Biham, constraints are propagated at each tree node in order to prune 1993] proposed a new type of attack called related-key attack branches. CP opens new perspectives for this kind of crypt- that allows an attacker to inject differences not only between analysis problems. First, it is very competitive with dedicated the plaintexts X and X0 but also between the keys K and K0 approaches: When the key has 128 bits, Chuffed [Chu and (even if the secret key K stays unknown from the attacker). Stuckey, 2014] is able to find optimal solutions in less than To mount related-key attacks, the cryptanalist must find one hour. Second, the CP model is easier to check or re-use optimal related-key differentials, i.e., a plaintext difference than a full program that not only describes the problem to δX and a key difference δK that maximize the probabil- solve, but also how to solve it. Actually, CP allowed us to ity that, for randomly chosen plaintext X and key K, the prove that a solution claimed to be optimal in [Biryukov and difference X ⊕ δX in the input plaintexts becomes the dif- Nikolic, 2010; Fouque et al., 2013] is not optimal by provid- 0 ference AESK (X) ⊕ AESK⊕δK (X ) in the output cipher- ing a better solution. texts. Finding the optimal related-key differentials for AES is a highly combinatorial problem that hardly scales. Two 2 Problem Statement main approaches have been proposed to solve this problem: a AES block cipher. AES ciphers blocks of length n = 128 ∗This research was conducted with the support of the FEDER bits, and each block is a 4 × 4 matrix of bytes. The length of program of 2014-2020 and the region council of Auvergne keys is l 2 f128; 192; 256g. In this paper, we only consider 4844 Proceedings of the Twenty-Sixth International Joint Conference on Artificial Intelligence (IJCAI-17) Operations applied at each round i 2 [0; r − 1]: Key K = K0 SKi[j][3] = (4×4 bytes) Subkey Ki+1 KS S(Ki[j][3]) KS ARK S SR MC i = r SB ARK i = 0 i < r Plaintext X Xi SXi = S(Xi) SR(SXi) Yi = MC(SR(SXi)) Xr Ciphertext (4×4 bytes) SXr = AESK (X) Figure 1: AES ciphering process. Each 4 × 4 array represents a group of 16 bytes. Before the first round, ARK is applied on X and K to obtain X0. Then, for each round i 2 [0; r − 1], S is applied on Xi to obtain SXi, SR and MC are applied on SXi to obtain Yi, KS is applied on Ki to obtain Ki+1 (and during KS, S is applied on Ki[j][3] to obtain SKi[j][3], 8j 2 [0; 3]), and ARK is applied on Ki+1 and Yi to obtain Xi+1. The ciphertext SXr is obtained by applying SB on Xr. keys of length l = 128, and keys are 4 × 4 matrices of bytes. Optimal related-key differentials. Let us note δB = Given a 4 × 4 matrix of bytes M, we note M[j][k] the byte at B ⊕ B0 the difference between two bytes B and B0, and row j 2 [0; 3] and column k 2 [0; 3]. diffBytes = fδB j B 2 Bytesg the set of all differential AES is an iterative process, and we note Xi the ciphertext bytes. at the beginning of round i 2 [0; r]. Each round is composed Mounting attacks requires finding a related-key differential of the following operations, as displayed in Fig. 1: characteristic, i.e. a plaintext difference δX = X ⊕ X0 and a key difference δK = K ⊕ K0, such that δX becomes δSX • SubBytes S. S is a non-linear permutation which r after r rounds with a probability as hight as possible. This can is applied on each byte of X separately, i.e., 8j; k 2 i be achieved by tracking the propagation of the initial differ- [0; 3], X [j][k] is replaced by S(X [j][k]), according to i i ences through the cipher. Once such an optimal differential a lookup table. We note SX = S(X ). i i characteristic is found, the cryptanalist asks for the encryp- • ShiftRows SR. SR is a linear mapping that rotates on tion of messages satisfying the input difference. When this the left by 1 byte position (resp. 2 and 3 byte positions) difference propagates as expected, he can infer informations the second row (resp. third and fourth rows) of SXi. leading to a recovery of the secret key K with less workload than exhaustive search. The difficulty of recovering K de- • MixColumns MC. MC is a linear mapping that mul- creases as the probability of the used differential characteris- tiplies each column of SR(SX ) by a 4 × 4 fixed matrix i tic increases. The AES operators SR; MC; ARK; and KS chosen for its good properties of diffusion [Daemen and are linear, i.e., they propagate differences in a deterministic Rijmen, 2002]. In particular, it has the Maximum Dis- way (with probability 1). However, the S operator is not lin- tance Separable (MDS) property: For each column, the ear: Given a byte difference B ⊕ B0 = δB, the probability total number of bytes which are different from 0, before that δB becomes S(B) ⊕ S(B0) = δSB is P r(δB ! δSB). and after applying MC, is either equal to 0 or strictly It is equal to 1 if δB = 0 (i.e., B = B0). However, if δB 6= 0, greater than 4. We note Yi = MC(SR(SXi)). 2 4 then P r(δB ! δSB) 2 f 256 ; 256 g. • KeySchedule KS. The subkey at round 0 is the ini- The probability that δX becomes δSXr is equal to the tial key, i.e., K0 = K. For each round i 2 [0; r − 1], product of all P r(δB ! δSB) such that δB (resp. δSB) the subkey Ki+1 is generated from Ki by applying KS. is a byte difference before (resp. after) passing through 0 0 It first replaces each byte Ki[j][3] of the last column by the S operator when ciphering X with K and X with K , S(Ki[j][3]) (where S is the SubBytes operator), and i.e., the product of all P r(δXi[j][k] ! δSXi[j][k]) and all we note SKi[j][3] = S(Ki[j][3]).
Load more

Recommended publications
  • Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin
    Cryptanalysis of Feistel Networks with Secret Round Functions Alex Biryukov, Gaëtan Leurent, Léo Perrin To cite this version: Alex Biryukov, Gaëtan Leurent, Léo Perrin. Cryptanalysis of Feistel Networks with Secret Round Functions. Selected Areas in Cryptography - SAC 2015, Aug 2015, Sackville, Canada. hal-01243130 HAL Id: hal-01243130 https://hal.inria.fr/hal-01243130 Submitted on 14 Dec 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Cryptanalysis of Feistel Networks with Secret Round Functions ? Alex Biryukov1, Gaëtan Leurent2, and Léo Perrin3 1 [email protected], University of Luxembourg 2 [email protected], Inria, France 3 [email protected], SnT,University of Luxembourg Abstract. Generic distinguishers against Feistel Network with up to 5 rounds exist in the regular setting and up to 6 rounds in a multi-key setting. We present new cryptanalyses against Feistel Networks with 5, 6 and 7 rounds which are not simply distinguishers but actually recover completely the unknown Feistel functions. When an exclusive-or is used to combine the output of the round function with the other branch, we use the so-called yoyo game which we improved using a heuristic based on particular cycle structures.
    [Show full text]
  • State of the Art in Lightweight Symmetric Cryptography
    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.
    [Show full text]
  • Data Encryption Standard
    Data Encryption Standard The Data Encryption Standard (DES /ˌdiːˌiːˈɛs, dɛz/) is a Data Encryption Standard symmetric-key algorithm for the encryption of electronic data. Although insecure, it was highly influential in the advancement of modern cryptography. Developed in the early 1970s atIBM and based on an earlier design by Horst Feistel, the algorithm was submitted to the National Bureau of Standards (NBS) following the agency's invitation to propose a candidate for the protection of sensitive, unclassified electronic government data. In 1976, after consultation with theNational Security Agency (NSA), the NBS eventually selected a slightly modified version (strengthened against differential cryptanalysis, but weakened against brute-force attacks), which was published as an official Federal Information Processing Standard (FIPS) for the United States in 1977. The publication of an NSA-approved encryption standard simultaneously resulted in its quick international adoption and widespread academic scrutiny. Controversies arose out of classified The Feistel function (F function) of DES design elements, a relatively short key length of the symmetric-key General block cipher design, and the involvement of the NSA, nourishing Designers IBM suspicions about a backdoor. Today it is known that the S-boxes that had raised those suspicions were in fact designed by the NSA to First 1975 (Federal Register) actually remove a backdoor they secretly knew (differential published (standardized in January 1977) cryptanalysis). However, the NSA also ensured that the key size was Derived Lucifer drastically reduced such that they could break it by brute force from [2] attack. The intense academic scrutiny the algorithm received over Successors Triple DES, G-DES, DES-X, time led to the modern understanding of block ciphers and their LOKI89, ICE cryptanalysis.
    [Show full text]
  • Miss in the Middle Attacks on IDEA and Khufu
    Miss in the Middle Attacks on IDEA and Khufu Eli Biham? Alex Biryukov?? Adi Shamir??? Abstract. In a recent paper we developed a new cryptanalytic techni- que based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this paper we describe the application of this technique to the block ciphers IDEA and Khufu. In both cases the new attacks cover more rounds than the best currently known attacks. This demonstrates the power of the new cryptanalytic technique, shows that it is applicable to a larger class of cryptosystems, and develops new technical tools for applying it in new situations. 1 Introduction In [5,17] a new cryptanalytic technique based on impossible differentials was proposed, and its application to Skipjack [28] and DEAL [17] was described. In this paper we apply this technique to the IDEA and Khufu cryptosystems. Our new attacks are much more efficient and cover more rounds than the best previously known attacks on these ciphers. The main idea behind these new attacks is a bit counter-intuitive. Unlike tra- ditional differential and linear cryptanalysis which predict and detect statistical events of highest possible probability, our new approach is to search for events that never happen. Such impossible events are then used to distinguish the ci- pher from a random permutation, or to perform key elimination (a candidate key is obviously wrong if it leads to an impossible event). The fact that impossible events can be useful in cryptanalysis is an old idea (for example, some of the attacks on Enigma were based on the observation that letters can not be encrypted to themselves).
    [Show full text]
  • Impossible Differential Cryptanalysis of Reduced Round Hight
    1 IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF APPLIED MATHEMATICS OF MIDDLE EAST TECHNICAL UNIVERSITY BY CIHANG˙ IR˙ TEZCAN IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN CRYPTOGRAPHY JUNE 2009 Approval of the thesis: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT submitted by CIHANG˙ IR˙ TEZCAN in partial fulfillment of the requirements for the degree of Master of Science in Department of Cryptography, Middle East Technical University by, Prof. Dr. Ersan Akyıldız Director, Graduate School of Applied Mathematics Prof. Dr. Ferruh Ozbudak¨ Head of Department, Cryptography Assoc. Prof. Dr. Ali Doganaksoy˘ Supervisor, Mathematics Examining Committee Members: Prof. Dr. Ersan Akyıldız METU, Institute of Applied Mathematics Assoc. Prof. Ali Doganaksoy˘ METU, Department of Mathematics Dr. Muhiddin Uguz˘ METU, Department of Mathematics Dr. Meltem Sonmez¨ Turan Dr. Nurdan Saran C¸ankaya University, Department of Computer Engineering Date: I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name, Last Name: CIHANG˙ IR˙ TEZCAN Signature : iii ABSTRACT IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT Tezcan, Cihangir M.Sc., Department of Cryptography Supervisor : Assoc. Prof. Dr. Ali Doganaksoy˘ June 2009, 49 pages Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive.
    [Show full text]
  • Cryptanalysis of Selected Block Ciphers
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 Cryptanalysis of Selected Block Ciphers Alkhzaimi, Hoda A. Publication date: 2016 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Alkhzaimi, H. A. (2016). Cryptanalysis of Selected Block Ciphers. Technical University of Denmark. DTU Compute PHD-2015 No. 360 General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. Cryptanalysis of Selected Block Ciphers Dissertation Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy at the Department of Mathematics and Computer Science-COMPUTE in The Technical University of Denmark by Hoda A.Alkhzaimi December 2014 To my Sanctuary in life Bladi, Baba Zayed and My family with love Title of Thesis Cryptanalysis of Selected Block Ciphers PhD Project Supervisor Professor Lars R. Knudsen(DTU Compute, Denmark) PhD Student Hoda A.Alkhzaimi Assessment Committee Associate Professor Christian Rechberger (DTU Compute, Denmark) Professor Thomas Johansson (Lund University, Sweden) Professor Bart Preneel (Katholieke Universiteit Leuven, Belgium) Abstract The focus of this dissertation is to present cryptanalytic results on selected block ci- phers.
    [Show full text]
  • Design and Analysis of Lightweight Block Ciphers : a Focus on the Linear
    Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer Christof Beierle Doctoral Dissertation Faculty of Mathematics Ruhr-Universit¨atBochum December 2017 Design and Analysis of Lightweight Block Ciphers: A Focus on the Linear Layer vorgelegt von Christof Beierle Dissertation zur Erlangung des Doktorgrades der Naturwissenschaften an der Fakult¨atf¨urMathematik der Ruhr-Universit¨atBochum Dezember 2017 First reviewer: Prof. Dr. Gregor Leander Second reviewer: Prof. Dr. Alexander May Date of oral examination: February 9, 2018 Abstract Lots of cryptographic schemes are based on block ciphers. Formally, a block cipher can be defined as a family of permutations on a finite binary vector space. A majority of modern constructions is based on the alternation of a nonlinear and a linear operation. The scope of this work is to study the linear operation with regard to optimized efficiency and necessary security requirements. Our main topics are • the problem of efficiently implementing multiplication with fixed elements in finite fields of characteristic two. • a method for finding optimal alternatives for the ShiftRows operation in AES-like ciphers. • the tweakable block ciphers Skinny and Mantis. • the effect of the choice of the linear operation and the round constants with regard to the resistance against invariant attacks. • the derivation of a security argument for the block cipher Simon that does not rely on computer-aided methods. Zusammenfassung Viele kryptographische Verfahren basieren auf Blockchiffren. Formal kann eine Blockchiffre als eine Familie von Permutationen auf einem endlichen bin¨arenVek- torraum definiert werden. Eine Vielzahl moderner Konstruktionen basiert auf der wechselseitigen Anwendung von nicht-linearen und linearen Abbildungen.
    [Show full text]
  • Analysis of Differential Attacks in ARX Constructions. Asiacrypt 2012
    Analysis of Differential Attacks in ARX Constructions Full version of the Asiacrypt 2012 paper Gaëtan Leurent University of Luxembourg – LACS [email protected] Abstract. In this paper, we study differential attacks against ARX schemes. We build upon the generalized characteristics of de Cannière and Rechberger; we introduce new multi-bit constraints to describe differential characteristics in ARX designs more accurately, and quartet constraints to analyze boomerang attacks. We also describe how to propagate those constraints; this can be used either to assist manual construction of a differential characteristic, or to extract more information from an already built characteristic. We show that our new constraints are more precise than what was used in previous works, and can detect more cases of incompatibility. We have developed a set of tools for this analysis of ARX primitives based on this set of constraints. In the hope that this will be useful to other cryptanalysts, our tools are publicly available at http://www.di.ens.fr/~leurent/arxtools.html. As a first application, we show that several published attacks are in fact invalid because the differential characteristics cannot be satisfied. This highlights the importance of verifying differential attacks more thoroughly. Keywords: Symmetric ciphers, Hash functions, ARX, Generalized characteristics, Differ- ential attacks, Boomerang attacks 1 Introduction A popular way to construct cryptographic primitives is the so-called ARX design, where the construction only uses Additions (a b), Rotations (a o i), and Xors (a ⊕ b). These operations are very simple and can be implemented efficiently in software or in hardware, but when mixed together, they interact in complex and non-linear ways.
    [Show full text]
  • The Retracing Boomerang Attack
    The Retracing Boomerang Attack Orr Dunkelman1, Nathan Keller2, Eyal Ronen3;4, and Adi Shamir5 1 Computer Science Department, University of Haifa, Israel [email protected] 2 Department of Mathematics, Bar-Ilan University, Israel [email protected] 3 School of Computer Science, Tel Aviv University, Tel Aviv, Israel [email protected] 4 COSIC, KU Leuven, Heverlee, Belgium 5 Faculty of Mathematics and Computer Science, Weizmann Institute of Science, Israel [email protected] Abstract. Boomerang attacks are extensions of differential attacks, that make it possible to combine two unrelated differential properties of the first and second part of a cryptosystem with probabilities p and q into a new differential-like property of the whole cryptosystem with probability p2q2 (since each one of the properties has to be satisfied twice). In this paper we describe a new version of boomerang attacks which uses the counterintuitive idea of throwing out most of the data (including poten- tially good cases) in order to force equalities between certain values on the ciphertext side. This creates a correlation between the four proba- bilistic events, which increases the probability of the combined property to p2q and increases the signal to noise ratio of the resultant distin- guisher. We call this variant a retracing boomerang attack since we make sure that the boomerang we throw follows the same path on its forward and backward directions. To demonstrate the power of the new technique, we apply it to the case of 5-round AES. This version of AES was repeatedly attacked by a large variety of techniques, but for twenty years its complexity had remained stuck at 232.
    [Show full text]
  • Statistical Cryptanalysis of Block Ciphers
    STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work.
    [Show full text]
  • Cryptanalysis of Reduced Round SKINNY Block Cipher
    Cryptanalysis of Reduced round SKINNY Block Cipher Sadegh Sadeghi1, Tahereh Mohammadi2 and Nasour Bagheri2,3 1 Department of Mathematics, Faculty of Mathematical Sciences and Computer, Kharazmi University, Tehran, Iran, [email protected] 2 Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran, {T.Mohammadi,Nabgheri}@sru.ac.ir 3 School of Computer Science, Institute for Research in Fundamental Sciences (IPM), Tehran, Iran, [email protected] Abstract. SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint. In this paper, we present zero-correlation linear approximations and the related-tweakey impossible differential characteristics for different versions of SKINNY .We utilize Mixed Integer Linear Programming (MILP) to search all zero-correlation linear distinguishers for all variants of SKINNY, where the longest distinguisher found reaches 10 rounds. Using a 9-round characteristic, we present 14 and 18-round zero correlation attacks on SKINNY-64-64 and SKINNY- 64-128, respectively. Also, for SKINNY-n-n and SKINNY-n-2n, we construct 13 and 15-round related-tweakey impossible differential characteristics, respectively. Utilizing these characteristics, we propose 23-round related-tweakey impossible differential cryptanalysis by applying the key recovery attack for SKINNY-n-2n and 19-round attack for SKINNY-n-n. To the best of our knowledge, the presented zero-correlation characteristics in this paper are the first attempt to investigate the security of SKINNY against this attack and the results on the related-tweakey impossible differential attack are the best reported ones. Keywords: SKINNY · Zero-correlation linear cryptanalysis · Related-tweakey impos- sible differential cryptanalysis · MILP 1 Introduction Because of the growing use of small computing devices such as RFID tags, the new challenge in the past few years has been the application of conventional cryptographic standards to small devices.
    [Show full text]
  • An Improved Impossible Differential Attack on MISTY1
    An Improved Impossible Differential Attack on MISTY1 Orr Dunkelman1,⋆ and Nathan Keller2,⋆⋆ 1 Ecole´ Normale Sup´erieure D´epartement d’Informatique, CNRS, INRIA 45 rue d’Ulm, 75230 Paris, France. [email protected] 2Einstein Institute of Mathematics, Hebrew University. Jerusalem 91904, Israel [email protected] Abstract. MISTY1 is a Feistel block cipher that received a great deal of cryptographic attention. Its recursive structure, as well as the added FL layers, have been successful in thwarting various cryptanalytic tech- niques. The best known attacks on reduced variants of the cipher are on either a 4-round variant with the FL functions, or a 6-round variant without the FL functions (out of the 8 rounds of the cipher). In this paper we combine the generic impossible differential attack against 5-round Feistel ciphers with the dedicated Slicing attack to mount an attack on 5-round MISTY1 with all the FL functions with time com- plexity of 246.45 simple operations. We then extend the attack to 6- round MISTY1 with the FL functions present, leading to the best known cryptanalytic result on the cipher. We also present an attack on 7-round MISTY1 without the FL layers. 1 Introduction MISTY1 [10] is a 64-bit block cipher with presence in many cryptographic stan- dards and applications. For example, MISTY1 was selected to be in the CRYP- TREC e-government recommended ciphers in 2002 and in the final NESSIE portfolio of block ciphers, as well as an ISO standard (in 2005). MISTY1 has a recursive Feistel structure, where the round function is in itself (very close to) a 3-round Feistel construction.
    [Show full text]