Analysis of Block Cipher Constructions against Biclique and Multiset Attacks By Mohona Ghosh Indraprastha Institute of Information Technology, Delhi (IIIT-Delhi) Supervisors: Dr. Somitra Sanadhya Dr. Donghoon Chang January, 2016 c Indraprastha Institute of Information Technology (IIIT-D), New Delhi, 2016 Analysis of Block Cipher Constructions against Biclique and Multiset Attacks By Mohona Ghosh Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science & Engineering to the Indraprastha Institute of Information Technology, Delhi January, 2016 Certificate This is to certify that the thesis titled - \Analysis of Block Cipher Constructions against Biclique and Multiset Attacks" being submitted by Mohona Ghosh to Indraprastha Institute of Information Technology, Delhi, for the award of the degree of Doctor of Philosophy, is an original research work carried out by her under our super- vision. In our opinion, the thesis has reached the standards fulfilling the requirements of the regulations relating to the degree. The results contained in this thesis have not been submitted in part or full to any other university or institute for the award of any degree/diploma. Dr. Somitra Sanadhya Dr. Donghoon Chang January, 2016 Department of Computer Science Indraprastha Institute of Information Technology, Delhi New Delhi, 110020 IV Acknowledgments \It takes a big heart to help shape little minds" - Unknown First and foremost, I express my heartfelt gratitude to my esteemed teacher and guide, Dr. Somitra Sanadhya, my inspiration, for his invaluable guidance, constant support and for the intellectual stimulation given, which I will cherish in my heart always. His constant oasis of ideas exceptionally enrich the learner's thought process. I am extremely fortunate to have him as my advisor. I also express my sincere gratitude to my esteemed co-advisor, Dr. Donghoon Chang, who has helped me immensely throughout my PhD. life. All of the research I have conducted in completing my thesis wouldn't have been possible without his vision, encouragement and support. I would like to thank my PhD examiners, Dr. Vincent Rijmen, Dr. Sourav Mukhopadhyay and Dr. Jiageng Chen for their valuable comments and suggestions which helped me improve my dissertation. I am grateful to Dr. Andrey Bogdanov for the inspiring and fruitful collaboration I had with him. His passion for cryptanalysis and the perseverance of always pushing the results to a higher standard will always inspire me in my future research pursuits. I take this opportunity to thank all the members of my Crypto Lab. The resources and environment provided by them really helped me in my research. They have made my research life at IIIT-Delhi less tensed. I would like to thank all my friends from IIIT-Delhi, especially Sweta, Monalisa, Monika, Megha, Madhvi, Madhur, Jyoti and Tarun for their help and cooperation that always kept my spirits high. Their company made my graduate life a memorable one. I had a great opportunity to closely work with some brilliant undergraduate stu- dents: Akshima and Aarushi Goel. I would also like to forward my gratitude to Tata Consultancy Services (TCS), India for awarding me the prestigious TCS fellowship for my full PhD period. On a personal front , I owe my heartfelt thanks to my parents, my uncle and my sis- ter for their unconditional support, understanding and encouragement without which this dissertation would not have got completed. Above all, I am grateful to the Almighty, who showered the opportunity, blessings and moral courage on me to complete this dissertation. V List of Publications The author names are in the alphabetical order. 1. Andrey Bogdanov, Donghoon Chang, Mohona Ghosh, and Somitra Kumar Sanadhya. Bicliques with Minimal Data and Time Complexity for AES. In Jooy- oung Lee and Jongsung Kim, editors, Information Security and Cryptology - ICISC 2014 - 17th International Conference, Seoul, Korea, December 3-5, 2014, Revised Selected Papers, volume 8949 of Lecture Notes in Computer Science, pages 160-174. Springer, 2014. 2. Megha Agrawal, Donghoon Chang, Mohona Ghosh, and Somitra Kumar Sanad- hya. Collision attack on 4-branch, type-2 GFN based hash functions using Sliced Biclique Cryptanalysis Technique. In Dongdai Lin, Moti Yung, and Jianying Zhou, editors, Information Security and Cryptology - 10th International Confer- ence, Inscrypt 2014, Beijing, China, December 13-15, 2014, Revised Selected Papers, volume 8957 of Lecture Notes in Computer Science, pages 343-360. Springer, 2014. 3. Donghoon Chang, Mohona Ghosh, and Somitra Kumar Sanadhya. Biclique Cryptanalysis of full round AES-128 based hashing modes. In Dongdai Lin, Moti Yung, and Xiaofeng Wang, editors, Information Security and Cryptology - 11th International Conference, Inscrypt 2015, Beijing, China, November 1-3, 2015, Revised Selected Papers, volume 9589 of Lecture Notes in Computer Science. Springer, 2015. 4. Akshima, Donghoon Chang, Mohona Ghosh, Aarushi Goel, and Somitra Ku- mar Sanadhya. Single Key Recovery Attacks on 9-round Kalyna-128/256 and Kalyna-256/512. In Soonhak Kwon and Aaram Yun, editors, Information Secu- rity and Cryptology - ICISC 2015 - 18th International Conference, Seoul, Korea, November 25-27, 2015, Revised Selected Papers, volume 9558 of Lecture Notes in Computer Science. Springer, 2015. 5. Akshima, Donghoon Chang, Mohona Ghosh, Aarushi Goel, and Somitra Ku- mar Sanadhya. Improved Meet-in-the-Middle Attacks on 7 and 8-Round ARIA- 192 and ARIA-256. In Alex Biryukov and Vipul Goyal, editors, Progress in Cryptology - INDOCRYPT 2015 - 16th International Conference on Cryptology in India, Bangalore, India, December 6-9, 2015, Proceedings, volume 9462 of Lecture Notes in Computer Science, pages 198-217. Springer, 2015. VI Abstract Cryptographic protocols have been a cornerstone of secure communications among armed forces and diplomatic missions since time immemorial. With easy availability and low cost of computing facilities and Internet, the domain of cryptology has not only expanded to non-government uses but also in fulfilling the common needs of individuals. Block ciphers are the basic building blocks of most of today's deployed cryptography and are one of the most widely used cryptographic primitives. They play a crucial role in providing confidentiality of data transmitted over insecure communication channels - one of the fundamental goals of cryptography. Apart from it, block ciphers are also used to build other cryptographic mechanisms such as - Hash functions and Message Authentication Codes. Hence, it is crucial to ensure construction of a secure and robust block cipher design. To achieve so, it is imperative to analyze and evaluate the resis- tance of block ciphers against a variety of cryptanalytic attacks. This thesis is devoted to the security analysis of block ciphers and block cipher based hash functions against some of the current state-of-the-art cryptanalytic techniques. We specifically focus on Biclique Cryptanalysis and Multiset Attacks in this work. We propose a new extension of biclique technique - termed as Star based Bicliques and use them to solve the problem of high data complexity usually associated with this technique. Further, we also employ the above cryptanalytic methods to provide the best attacks on few standardized block ciphers. Our cryptanalytic results are as follows: 1. We study biclique based key recovery attacks and find improvements that lower the attack costs compared to the original attack in [39]. These attacks are applied to full round AES-128 (10-rounds), AES-192 (12-rounds) and AES-256 (14-rounds) with interesting observations and results. As part of the results, we propose star-based bicliques which allow us to launch attacks with the minimal data complexity in accordance with the unicity distance. Each attack requires just 2-3 known plaintexts with success probability 1. 2. We utilize the biclique based key recovery attacks to find second-preimages on AES based hashing modes. In our attacks, the initialization vector (IV) is a public constant that cannot be changed by the attacker. Under this setting, with message padding restrictions, the biclique trails constructed for key recovery attack in [39] cannot be utilized here. We construct new biclique trails that satisfy the above restrictions and launch second preimage attacks on all 12 PGV hashing modes based on full round AES-128. 3. We investigate the security of Generalized Feistel Networks (GFNs) in known-key scenario. We apply a variant of biclique technique - termed as sliced biclique cryptanalysis on 4-branch, Type-2 Generalized Feistel Networks (GFNs) based hash functions to generate actual collisions. We further demonstrate the best 8-round collision attack on 4-branch, Type-2 based GFNs when the round function F is instantiated with double SP layers. VII 4. We analyze the security of Korean Encryption Standard ARIA against meet-in-the-middle attack model. We conduct multiset based key recovery attacks on 7 and 8-round ARIA-192 and ARIA-256 with improved time, memory and data complexities compared to [168]. While the previous at- tacks on ARIA could only recover some round keys, our attacks show the first recovery of the complete master secret key. 5. We analyze the security of recently announced Ukrainian Encryption Stan- dard Kalyna against meet-in-the-middle attack model. We apply multiset attacks supplemented with further related advancements in this attack tech- nique to recover the secret key from 9-round Kalyna-128/256 and Kalyna- 256/512. This improves upon the previous best attack reported in [13] in terms of number of rounds attacked by 2. In terms of either the attack complexity or the number of attacked rounds, the attacks presented in the thesis are better than any previously published cryptanalytic results for the block ciphers concerned. VIII Contents 1 Introduction 1 1.1 Motivation . .3 1.2 Thesis Organization . .5 1.3 Contributions . .6 2 Symmetric cryptosystems 9 2.1 What is a block cipher ? . .9 2.2 Anatomy of a block cipher . 10 2.3 Construction of iterated block ciphers .