Eindhoven University of Technology MASTER Algebraic differential attacks on symmetric cryptography Lukas, K.A.Y. Award date: 2016 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain EINDHOVEN UNIVERSITY OF TECHNOLOGY Department of Mathematics and Computer Science Master’s thesis Algebraic differential attacks on symmetric cryptography by K.A.Y. Lukas (0758084) Supervisors: prof. dr. J. Daemen, prof. dr. T. Lange Second reader: dr. B. Skori˘ c´ Nijmegen, December 2016 Declaration I hereby declare that except where specific reference is made to the work of others, the contents of this thesis are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other University. This thesis is the result of myownwork and includes nothing that is the outcome of work done in collaboration, except where specifically indicated in the text. K.A.Y. Lukas December 2016 Abstract This thesis studies the topic of algebraic differential attacks on symmetric cryptography. In particular, the effects of cube attacks by Dinur and Shamir [19] on sponge, duplex and farfalle constructions are researched. All three of these constructions utilize a permutation f to build cryptographic primitives. The impact of vulnerabilities of the used permutation in a duplex construction is investigated by performing a cube attack on the primate permutation family. The primate permutation family is used in the primates family for authenticated encryption. Farfalle is a construction for building a pseudorandom function that uses, in addition to a permutation f, an algorithm to encode block indices. We will show that the encoding algorithm used in farfalle must be chosen carefully, and that the sequence of encodings generated should not contain large affine subspaces. Our contribution in this thesis is a cube attack requiring 232 input blocks against one of the primates encryption schemes (gibbon), assuming that nonces are reused. By performing attacks on a reduced-round primate permutation, we make a prediction of the computational power required for the attack on gibbon. Furthermore, we present various types of algorithms that can be used to encode a sequence of block indices that will not contain large affine subspaces. These algorithms are specifically designed to be used in the farfalle construction to avoid the weakness we identified. Contents Declaration iii Abstract iv Contents vii 1 Introduction 1 2 Background and Definitions5 2.1 Background . .5 2.2 Definitions . .8 3 Sponge and Duplex constructions 15 3.1 Sponge construction . 16 3.1.1 Applications . 18 3.2 Duplex construction . 19 3.2.1 Applications . 21 3.3 Permutation types . 21 3.3.1 ARX-based . 22 3.3.2 S-box-based . 22 4 Higher-order differential cryptanalysis 25 4.1 Attack model . 25 4.2 Differential analysis . 26 4.2.1 Differential along a vector space . 29 4.3 Cube attacks . 30 4.3.1 An example attack . 30 4.3.2 Attack procedure . 32 4.3.3 Limitations of this attack . 34 5 Cube attack on primates 35 5.1 primates: an authenticated encryption family . 35 5.1.1 Schemes . 36 5.1.2 The permutation . 40 viii Contents 5.2 Cube attack on primates.................................. 41 5.2.1 Basic cube attack . 42 5.2.2 Generating linear equations out of quadratic equations . 42 5.2.3 Skipping the first SubElements operation . 43 5.3 Results . 44 5.3.1 Impact on the primate-family . 45 5.3.2 Attack details . 46 6 Farfalle: a parallelizable prf construction 49 6.1 Sketch of the scheme . 49 6.2 Vulnerability: creating an all-zero intermediate state . 51 6.3 Countermeasure using the counter encoding . 53 7 Low affine dimensional encoding 55 7.1 Calculating the affine dimension . 57 7.2 Basic multiplicative encodings . 60 7.2.1 Mathematical properties . 61 7.2.2 Experimental results . 66 7.3 Logarithmic encodings . 70 7.3.1 Dealing with even values of log (i) + 1 ...................... 70 b 2 c 7.3.2 Experimental results . 72 7.4 Concatenated encodings . 73 7.4.1 Mathematical properties . 74 7.4.2 Experimental analysis . 78 7.5 Rotation-based encodings . 80 7.5.1 Exponential encoding . 80 7.5.2 Shifted encoding . 81 7.5.3 Smeer encoding . 83 8 Conclusion 93 8.1 Future work . 94 References 95 Chapter 1 Introduction Cryptography is the science in which we study secret codes. These secret codes or ciphers trans- form unencrypted data (plaintext) into ciphertext. This ciphertext can not be read directly without decrypting it first, decryption transforms the ciphertext into the plaintext again. Cryptography is often divided into two groups: symmetric cryptography and asymmetric cryptography. Symmetric cryptography uses a single key for both encryption and decryption. Asymmetric cryptography uses one key for encryption and another key for decryption. As two different keys are used, a receiver can publish the key used for encryption (the public key), allowing anyone to send a message to the receiver, while keeping the key used for decryption private (the private key). This allows the receiver to be the only one able to decrypt messages. Symmetric cryptography is normally not able to do this. In this thesis we are concerned with symmetric cryptography only. When a new symmetric-key cipher has just been designed, it is often not known if this cipher is secure. The security of these ciphers cannot always be proven mathematically. This makes one question how our current ciphers are derived and why we consider the mainstream ciphers as se- cure. Secret-key cryptography has a long standing tradition of selecting secure ciphers by organizing competitions. These secure ciphers are selected from a wide range of submissions. The scientific com- munity puts these submitted ciphers under scrutiny by analysing and searching for vulnerabilities for each cipher. This allows the committee to select secure and well-performing ciphers. An example of such a competition is the aes competition. This competition was won by the Rijndael cipher (now called the aes cipher). The aim of this thesis is to provide a contribution to the caesar competition. The caesar competition is a competition for authenticated ciphers. The main difference between the aes competition and the caesar competition is that the caesar competition is about authen- ticated encryption schemes while the aes competition was purely for block ciphers. Authenticated ciphers provide encryption but also provide authenticity assurance on the data. Authenticity assur- ance means that the receiver can detect if unauthorized changes are made to the message. Often authenticated ciphers produce a ciphertext as well as an authentication tag. This authentication tag allows to the receiver to check the ciphertext for authenticity. In this thesis we contribute to two different ciphers: the authenticated encryption family primates and Keyak. Both ciphers were submitted as a candidate to the caesar competition. While this thesis was being written, the primates family was deselected for the current round (round three) of the 2 Introduction caesar competition. Nonetheless, we hope that the result can still be helpful for anyone wanting to use the primates family of authenticated algorithms and be helpful for the primates designers. To provide a contribution and to analyse these ciphers we will study differential attacks on sym- metric cryptography. Differential attacks are attacks that exploit relations between differences in- duced in the input data and differences observed in the output data. This type of cryptanalysis was first introduced by Biham and Shamir in 1991[9]. They used this type of cryptanalysis to break amongst others des. Biham and Shamir recognized that this type of attack was not specific to des and directly applied it to other des-like system. Differential attacks are together with linear crypt- analysis the most significant type of attacks on symmetric cryptography [23]. Linear cryptanalysis is a type of attack that formulates linear relations between the input and output data that hold with a high probability. The exact process is out of the scope of this thesis, more information can be found in “Linear Cryptanalysis Method for DES Cipher” by Matsui [31]. By encrypting multiple sets of data we are able to perform a differential attack. This input data will each time be nearly the same, except for a unique difference from the original data. Afterwards, we combine the output data in such a way that linear relations between input data and output data are found. By solving these linear relations we can reconstruct the input data. In chapter4 a closer look into differential attacks is given. Formalisms are taken from Seidlová [43]. Ciphers submitted to the caesar competition could be developed using various different tech- niques. Firstly, one can create a whole new cryptographic algorithm providing both encryption and authentication. This can give performance advantages because calculation of the encryption and the authentication tag can be combined in an efficient manner.