The Design and Analysis of Symmetric Cryptosystems
Total Page:16
File Type:pdf, Size:1020Kb
The Design and Analysis of Symmetric Cryptosystems Gordon Procter Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Royal Holloway, University of London 2015 Declaration These doctoral studies were conducted under the supervision of Prof. Carlos Cid. The work presented in this thesis is the result of original research carried out by my- self, in collaboration with others, whilst enrolled in the Department of Information Security as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Gordon Procter August 2015 2 Acknowledgements First and foremost, I wish to thank my supervisor Carlos Cid. Throughout this PhD, he has provided guidance, support, and advice. He has encouraged me explore the topics and areas that I find interesting and always had an interesting observation to make. Many thanks are due to the co-authors that I have had the privilege to work with. I've enjoyed productive collaborations with Pooya Farshim, Lo¨ıcFerreira, and Matt Robshaw. I also owe Jean Paul Degabriele thanks, for his contributions to both my education and my research. The ECRYPT project has provided great opportunities for me to join a wonderful community of European researchers working on symmetric cryptography. I am very grateful for the events they have organised (with their generous travel funding) and to everyone within that community. The department at Royal Holloway has been an excellent venue for the last 4 years: sincere thanks to everyone that has made it so. My fellow PhD students have kept me going with humour, squash, and coffee. Kenny and Bertram have provided motivation, opportunities, and interesting ideas. Susan and James deserve a special mention, for the sarcasm and the essential life lessons. Thanks to my parents, for supporting me in everything I do. Finally, thanks to Rachael, for putting up with it all. 3 Abstract Message authentication schemes built from universal hash functions are commonly used for fast and secure message authentication. By studying universal hash func- tions based on polynomial evaluation, we identify some properties which arise from the underlying algebraic structure. As a result, we are able to describe a general forgery attack against the related message authentication schemes, as well as pro- viding a common description of all known attacks against such schemes, and greatly expanding the number of known weak keys. Iterated Even{Mansour ciphers are also popular and we initiate the theoretical study of these ciphers' security against related-key attacks. The simplest one-round Even{ Mansour cipher is shown to achieve a non-trivial level of related-key security. How- ever, offsetting keys by constants is not included in this result; two rounds suffice to reach that level of security under chosen-plaintext attacks and three rounds boosts security to resist chosen-ciphertext attacks. Tweakable block ciphers are a generalisation of block ciphers that take an additional input (the tweak) in order to provide an efficient alternative to re-keying the cipher. We analyse the security reduction given for CLRW2, a method for constructing a tweakable block cipher from a (conventional) block cipher and a universal hash function. Having identified an error in the proof, we provide a revised proof with a new bound. Finally, we study the security of two schemes that have been proposed for standardis- ation. The first is a composition of Bernstein's ChaCha20 and Poly1305, as proposed for use in IETF protocols as an authenticated encryption scheme; the second is an ultra-lightweight RFID authentication protocol proposed as part of ISO/IEC 29167. We conclude that the first is a secure authenticated encryption scheme, while the second is catastrophically broken by algebraic attacks. 4 Contents 1 Introduction 10 1.1 Motivation and context . 10 1.2 Thesis structure . 13 2 Preliminaries 16 2.1 Notation . 16 2.2 Cryptographic background . 17 2.2.1 Pseudorandom functions . 17 2.2.2 Block ciphers . 18 2.2.3 Cryptographic permutations . 21 2.2.4 Symmetric encryption schemes . 22 2.2.5 Tweakable block ciphers . 25 2.2.6 Message authentication codes . 27 2.2.7 Universal hash functions . 29 2.2.8 Authenticated encryption . 32 2.3 Security models . 35 2.3.1 Weak keys . 35 2.3.2 Related-key attacks . 36 2.3.3 Indifferentiability . 38 2.3.4 Algebraic cryptanalysis . 41 3 Polynomial-based hash functions 42 3.1 Introduction . 43 3.2 Prior work . 44 3.2.1 Polynomial-evaluation-based hash functions . 44 3.2.2 Security analyses . 48 3.3 Algebraic structure and its implications . 52 3.3.1 A generalised forgery attack . 52 3.3.2 Malleability . 55 3.3.3 Length extension . 56 3.3.4 Key recovery . 57 3.3.5 Choosing polynomials . 58 3.4 Algebraic structure of previous attacks . 60 3.4.1 Ferguson's short tag attack . 60 3.4.2 Joux's forbidden attack . 61 3.4.3 Handschuh and Preneel's attacks . 61 3.4.4 Saarinen's cycling attacks . 62 3.5 Weak keys . 63 5 CONTENTS 3.5.1 Handschuh and Preneel's weak key . 63 3.5.2 Saarinen's weak keys . 64 3.5.3 New weak-key classes . 64 3.6 GCM with short multiplications . 66 3.6.1 Introduction . 66 3.6.2 Attacks . 67 3.7 Square Hash . 70 3.7.1 Introduction . 70 3.7.2 Weak-key classes . 71 3.8 Discussion . 73 3.8.1 Choice of fields . 74 3.8.2 Length extension . 74 3.8.3 Malleability . 75 3.8.4 Weak keys . 75 4 The related-key security of iterated Even{Mansour ciphers 77 4.1 Introduction . 78 4.2 Preliminaries . 80 4.2.1 Notation . 80 4.2.2 The Even{Mansour ciphers . 81 4.2.3 Security Analyses . 82 4.2.4 Cryptanalysis . 83 4.3 The RKA security of EMπ[1; 1] ..................... 83 4.3.1 Restricting RKD sets . 84 4.3.2 Sufficiency of the conditions . 88 4.4 The RKCPA security of EMπ[1; 1; 1] . 99 4.4.1 Weakening the conditions . 100 4.4.2 Sufficiency of the conditions . 102 4.4.3 Φ⊕-RKA Security . 110 4.4.4 A Φ⊕-RKCCA attack on EMπ[1; 1; 1] . 113 4.5 The RKCCA security of EMπ[1; 1; 1; 1] . 114 4.5.1 Attacking EMπ[κ] for κ = [1; 1; 1; 1] . 114 6 4.5.2 The security of EMπ[1; 1; 1; 1] . 115 4.6 Discussion . 125 5 The CLRW2 tweakable block cipher 127 5.1 Introduction . 127 5.2 Preliminaries . 129 5.2.1 Description of CLRW2 . 130 5.2.2 Notation . 130 5.3 Proof summary . 131 5.3.1 Partitioning the output set . 131 5.3.2 Structure of the games . 133 5.3.3 Games 4 and 5 . 135 5.4 The flaw in the proof . 139 5.4.1 Flawed sampling methods . 139 5.4.2 Causing an inversion . 140 6 5.5 A revised proof . 141 5.6 A limitation of this proof technique . 150 6 Standardisation and cryptography 152 6.1 Introduction . 152 6.2 The composition of ChaCha20 and Poly1305 . 154 6.2.1 Notation . 155 6.2.2 Description of the algorithms . 156 6.2.3 Security model . 158 6.2.4 Our result . 159 6.3 Algebraic cryptanalysis and ISO/IEC 29167-15 . 164 6.3.1 The standardisation landscape for UHF RFID . 164 6.3.2 The first version of ISO/IEC 29167-15 . 166 6.3.3 The working draft of ISO/IEC 29167-15 . 168 6.3.4 The first committee draft of ISO/IEC 29167-15 . 170 6.3.5 The final committee draft of ISO/IEC 29167-15 . 175 6.3.6 Other insecure variants of ISO/IEC 29167-15 . 181 6.3.7 Results and discussion . 184 6.4 Discussion . 185 Bibliography 187 7 Abbreviations 3GPP 3rd Generation Partnership Project AE Authenticated Encryption AEAD Authenticated Encryption with Associated Data AES Advanced Encryption Standard ANSI American National Standards Institute ARX (modular) Addition, Rotation, Xor ATM Automated Teller Machine AXU Almost XOR Universal BC Block Cipher CBC Cipher Block Chaining CCA Chosen Ciphertext Attack CD Committee Draft CF Claw Freeness CF1 First-order Claw Freeness CFB Cipher Feedback CFRG Crypto Forum Research Group CLRW2 Chained LRW2 CPA Chosen Plaintext Attack CRC Cyclic Redundancy Check CTR Counter CTXT Ciphertext DES Data Encryption Standard DIS Draft International Standard ECB Electronic Codebook EM Even{Mansour EMV Europay, MasterCard, and Visa ENISA European Union Agency for Network and Information Security FDIS Final Draft International Standard FIPS Federal Information Processing Standard GCD Greatest Common Divisor GCHQ Government Communication Headquarters GCM Galois/Counter Mode GCM/2+ Galois/Counter Mode with short multiplications HF High Frequency HMAC Hash-based Message Authentication Code IDEA International Data Encryption Algorithm IEC International Electrotechnical Commission 8 IETF Internet Engineering Task Force IND Indistinguishability INT Integrity IPsec Internet Protocol Security IRTF Internet Research Task Force ISO International Organization for Standardization IV Initialisation Vector LRW2 Tweakable Block Cipher proposed by Liskov, Rivest, and Wagner MAC Message Authentication Code MMH Multilinear Modular Hashing NIST National Institute of Standards and Technology OCB Offset Codebook OFB Output Feedback OUP Output Unpredictable OUP1 First-order Output Unpredictable PMAC Parallelisable Message Authentication Code PRF Pseudorandom Function PRG Pseudorandom Generator PRP Pseudorandom Permutation QI Query Independence QI1 First-order Query Independence RFC Request for Comments RFID Radio Frequency Identification RKA Related-key Attack RKCCA Related-key Chosen Ciphertext Attack RKCPA Related-key Chosen Plaintext Attack RKD Related-key-deriving SAT Boolean Satisfiability SES Symmetric Encryption Scheme SGCM Sophie Germaine Counter Mode SHA Secure Hash Algorithm SPRP Strong Pseudorandom Permutation SSH Secure Shell SSL Secure Socket Layer TBC Tweakable Block Cipher TLS Transport Layer Security TPRP Tweaked Pseudorandom Permutation TSPRP Tweaked Strong Pseudorandom Permutation UHF Ultra High Frequency WD Working Draft XCB Extended Codebook XCF Xor Claw Freeness XE Xor-Encrypt XEX Xor-Encrypt-Xor XQI Xor Query Independence XTS XEX-based Tweaked-codebook Mode with Ciphertext Stealing 9 Chapter 1 Introduction Contents 1.1 Motivation and context .