Downloaded from orbit.dtu.dk on: Sep 26, 2021 Cryptanalysis of Lightweight Ciphers Borghoff, Julia Publication date: 2011 Document Version Early version, also known as pre-print Link back to DTU Orbit Citation (APA): Borghoff, J. (2011). Cryptanalysis of Lightweight Ciphers. Technical University of Denmark. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. Technical University of Denmark DTU Mathematics Department of Mathematics Cryptanalysis of Lightweight Ciphers Julia Borghoff Ph.D. Thesis Kongens Lyngby December 2010 Date JuliaBorghoff Technical University of Denmark Department of Mathematics Matematiktorvet Building 303S DK-2800 Kongens Lyngby Denmark Phone +45 45253031 Fax +45 45881399 www.mat.dtu.dk Title of Thesis: Cryptanalysis of Lightweight Ciphers Ph.D. student: Julia Borghoff Department of Mathematics Technical University of Denmark Address: Matematiktorvet, DTU Building 303 S, DK-2800 Lyngby, Denmark E-mail: J.Borghoff@mat.dtu.dk Supervisors: Lars Ramkilde Knudsen Department of Mathematics Technical University of Denmark Address: Matematiktorvet, DTU Building 303 S, DK-2800 Lyngby, Denmark E-mail: [email protected] Censors: Peter Beelen, DTU mathematics Thomas Johansson, Lund University Vincent Rijmen, KU Leuven Summary Lightweight encryption denotes a class of cryptographic algorithms that are suitable for extremely resource constrained environments and offer a moderate security level. The demand for such lightweight encryption algorithms increases because small com- puting devices such as RFID tags become more and more popular and establish a part of the pervasive communication infrastructure. But this extensive employment of computing devices is not only convenient, it also carries security risks. Lightweight encryption algorithms can be divided into two classes: lightweight block ciphers and stream ciphers. Before a new algorithm can be deployed an exten- sive assessment and analysis of its security is necessary. In this thesis we focus on the cryptanalysis of lightweight encryption schemes and we consider the two block cipher C2 and Maya, as well as the stream cipher Trivium. We start with an intro- duction to block ciphers and stream ciphers and give an overview of the most general techniques in cryptanalysis. Furthermore, we investigate block ciphers with secret components. The idea of using secret components is to increase the security of the cipher. We present a cryptanalysis of the cipher C2 where we apply a newly developed technique for recovering the secret S-box, and a cryptanalysis of the PRESENT-like cipher Maya, which involves a differential-style attack. In the analysis of the stream cipher Trivium we combine optimization techniques with cryptanalysis. In this new direction of research we examine the use of mixed-integer optimization and neighbor- hood search algorithms such as simulated annealing for solving non-linear Boolean equation systems. i Resum´e(in Danish) Letvægtskryptering betegner en klasse af kryptografiske algoritmer, som er specielt egnede til miljøer med ekstremt begrænsede ressourcer, og som giver et moderat sikker- hedsniveau. Efterspørgslen efter s˚adanne letvægtskrypteringsalgoritmer vokser, fordi mikro-computere, s˚asom RFID-tags, bliver mere og mere populære som en del af vores voksende kommunikationsinfrastruktur. Denne omfattende brug af mikro-computere er ikke kun praktisk, men medfører ogs˚apotentielle sikkerhedsrisici. Letvægtskrypteringsalgoritmer kan inddeles i to klasser: letvægtsblokchifre og strømchifre. Før ibrugtagning skal en ny algoritme underkastes en omfattende sikker- hedsvurdering og -analyse. I denne afhandling fokuserer vi p˚akryptoanalyse af letvægt- skrypteringalgoritmer, og vi undersøger de to blokchifre C2 og Maya samt strømchifferet Trivium. Vi begynder med en introduktion til blokchifre og strømchifre og giver et overblik over de mest generelle metoder til kryptoanalyse. Desuden undersøger vi blokchifre med hemmelige komponenter, hvis form˚al er at øge chifferets sikkerhed. Vi præsenterer en kryptoanalyse af chifferet C2, hvor vi anvender en nyudviklet teknik til at finde den hemmelige S-box, og en kryptoanalyse, som inkluderer et differentielt angreb, af det Present-lignende chiffer Maya. I analysen af strømchifferet Trivium kombinerer vi optimeringsmetoder med kryptoanalyse. I denne nye forskningsretning undersøger vi brugen af blandet-heltalsoptimering og omegns-søgealgoritmer s˚asom “simulated annealing” til løsning af ikke-lineære boolske ligningssystemer. iii Preface Most people use cryptography several times a day, often without being aware of it. Home banking, the Internet, mobile phones, NemID or access cards are just some examples. The digital world becomes more and more important in our lives, there- fore it also becomes more and more important that our transactions in that world are secure such that nobody can manipulate our data, eavesdrop on our communica- tions etc. Mathematical algorithms called cryptographic primitives found the basis of the security. Any trapdoor in these primitives threatens the security of the applica- tion. Therefore it is important to analyze them carefully before they are employed in practice. This analysis is called cryptanalysis. Cryptanalysis advances by discovering unforeseen and unexpected structure of cryptographic problems. Such structural properties can often be exploited to decrease the complexity of breaking the cryptosystem below the designated security level. In this thesis we investigate in particular the security of lightweight encryption schemes. These are cryptographic algorithms which can be employed in resource con- strained environments. We try to identify certain properties in the different algorithms which can be exploited to break the ciphers. In Part I we give a short introduction into symmetric cryptographic primitives and their cryptanalysis. Chapter 1 provides a motivation and a general introduction to the field of cryptog- raphy. We introduce the cryptographic concepts such as symmetric and public-key encryption and define terminology such as security definitions, attack goals and sce- narios. Chapter 2 introduces the cryptographic primitives called block ciphers. We provide a short description of both Feistel ciphers and substitution-permutation networks, and introduce the ciphers C2 and PRESENT as examples of these design concepts. Chapter 3 gives a short overview of stream cipher design. We compare the two most common stream cipher designs, synchronous and self-synchronizing stream ciphers and afterwards we focus on the design of synchronous stream ciphers. We discuss the properties of building blocks such as LFSRs and sketch designs based on them. After a short discussion of security considerations the chapter concludes with a description of the stream cipher Trivium. Chapter 4 provides an introduction to cryptanalysis applied to block and stream ci- phers. We give a short description of generic attacks such as the exhaustive key search, the table look-up attack, the dictionary attack, and the time-memory trade-offs. These attacks set the bounds on the security of block and stream ciphers. Subsequently, we present the two most important techniques in the cryptanalysis of symmetric en- cryption schemes: differential and linear cryptanalysis. Additionally, we describe the v vi boomerang and the cube attacks as variants of the classical differential attack. The chapter concludes with algebraic attacks. Algebraic representations of symmetric en- cryption scheme are the basis for the novel cryptanalysis presented in Part III. In Part II we examine the security of block ciphers with secret components where we in particular consider block ciphers with secret S-boxes. Chapter 5 is concerned with the cryptanalysis of the cipher C2. C2 is 64-bit block Feistel cipher with a 56-bit key. The 8-bit S-box is application-dependent and kept secret. We show a trial-and error attack which recovers the S-box in only 224 queries to the device and present a boomerang attack to determine the secret key. The dif- ferential used in the attack is independent of the S-box. These two attacks can be combined to an attack that enables us to recover the key and the S-box at the same time. This chapter is based on [22]. Chapter 6 addresses the cryptanalysis of PRESENT-like ciphers with secret S-boxes. We present a new differential-style attack which enables us to recover the S-boxes of the first round of encryption. Furthermore, we show that an S-box can be uniquely determined if we know all sets of input pairs, which lead to an output difference of Hamming weight one, for the S-box and its inverse. The attack is successfully carried out on the cipher Maya and we are able to break the full version consisting of 16 rounds with a practical complexity. Based on a mathematical model we infer that our attack