STATISTICAL CRYPTANALYSIS OF BLOCK CIPHERS THÈSE NO 3179 (2005) PRÉSENTÉE À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS Institut de systèmes de communication SECTION DES SYSTÈMES DE COMMUNICATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pascal JUNOD ingénieur informaticien dilpômé EPF de nationalité suisse et originaire de Sainte-Croix (VD) acceptée sur proposition du jury: Prof. S. Vaudenay, directeur de thèse Prof. J. Massey, rapporteur Prof. W. Meier, rapporteur Prof. S. Morgenthaler, rapporteur Prof. J. Stern, rapporteur Lausanne, EPFL 2005 to Mimi and Chlo´e Acknowledgments First of all, I would like to warmly thank my supervisor, Prof. Serge Vaude- nay, for having given to me such a wonderful opportunity to perform research in a friendly environment, and for having been the perfect supervisor that every PhD would dream of. I am also very grateful to the president of the jury, Prof. Emre Telatar, and to the reviewers Prof. em. James L. Massey, Prof. Jacques Stern, Prof. Willi Meier, and Prof. Stephan Morgenthaler for having accepted to be part of the jury and for having invested such a lot of time for reviewing this thesis. I would like to express my gratitude to all my (former and current) col- leagues at LASEC for their support and for their friendship: Gildas Avoine, Thomas Baign`eres, Nenad Buncic, Brice Canvel, Martine Corval, Matthieu Finiasz, Yi Lu, Jean Monnerat, Philippe Oechslin, and John Pliam. With- out them, the EPFL (and the crypto) would not be so fun! Without their support, trust and encouragement, the last part of this thesis, FOX, would certainly not be born: I owe to MediaCrypt AG, espe- cially to Ralf Kastmann and Richard Straub many, many, many hours of interesting work. I thank them warmly! The worldwide cryptologic community is especially friendly; I would like to thank all the researchers throughout the world for having shared with me ideas, discussions about cryptology, or simply nice moments during conferences: Alex Biryukov, Emmanuel Bresson, Nicolas Courtois, Pierre- Alain Fouque, Mounir Idrassi, Robert Johnson, Liam Keliher, S´ebastien Kunz-Jacques, Simon K¨unzli, Marco Maccheti, Gwena¨elle Martinet, Fr´ed´e- ric Muller, Phong Nguyen, Gilles Piret, Thomas Pornin, Emmanuel Prouff, Jean-Jacques Quisquater, Fr´ed´eric Raynal, Renato Renner, Michael Scott, Fran¸cois-Xavier Standaert, and David Wagner. Especially, I would like to thank Prof. Ueli Maurer for having opened my eyes on cryptology during his outstanding lectures at ETH Zurich. Since acknowldegments are definitely the most delicate part of a thesis, I would like to thank all people I might have forgotten. Last but not least, I would like to express my gratitude to my family, my close friends and to all the geeks of Kayak-Club Lausanne for sharing with me all (or almost all) the time where I do not think about crypto. Finally, I would like to thank my wife Myriam for her love and for her infinite patience. This thesis is dedicated to her and to our daughter Chlo´e. i —ii— Abstract Since the development of cryptology in the industrial and academic worlds in the seventies, public knowledge and expertise have grown in a tremen- dous way, notably because of the increasing, nowadays almost ubiquitous, presence of electronic communication means in our lives. Block ciphers are inevitable building blocks of the security of various electronic systems. Recently, many advances have been published in the field of public-key cryp- tography, being in the understanding of involved security models or in the mathematical security proofs applied to precise cryptosystems. Unfortu- nately, this is still not the case in the world of symmetric-key cryptography and the current state of knowledge is far from reaching such a goal. How- ever, block and stream ciphers tend to counterbalance this lack of “provable security” by other advantages, like high data throughput and ease of imple- mentation. In the first part of this thesis, we would like to add a (small) stone to the wall of provable security of block ciphers with the (theoretical and ex- perimental) statistical analysis of the mechanisms behind Matsui’s linear cryptanalysis as well as more abstract models of attacks. For this purpose, we consider the underlying problem as a statistical hypothesis testing prob- lem and we make a heavy use of the Neyman-Pearson paradigm. Then, we generalize the concept of linear distinguisher and we discuss the power of such a generalization. Furthermore, we introduce the concept of sequential distinguisher, based on sequential sampling, and of aggregate distinguish- ers, which allows to build sub-optimal but efficient distinguishers. Finally, we propose new attacks against reduced-round version of the block cipher IDEA. In the second part, we propose the design of a new family of block ciphers named FOX. First, we study the efficiency of optimal diffusive components when implemented on low-cost architectures, and we present several new constructions of MDS matrices; then, we precisely describe FOX and we discuss its security regarding linear and differential cryptanalysis, integral attacks, and algebraic attacks. Finally, various implementation issues are considered. iii —iv— R´esum´e Depuis le d´eveloppement de la cryptologie dans les mondes industriel et acad´emique, les connaissances et l’expertise publique ont crˆudemani`ere sou- tenue, notamment en raison de l’omnipr´esence des moyens de communication ´electronique dans la vie de tous les jours. Les algorithmes de chiffrement par blocs sont ainsi des briques de base incontournables de la s´ecurit´edenom- breux syst`emes. R´ecemment, de nombreuses avanc´ees ont ´et´e publi´ees dans le domaine de la cryptographiea ` clef publique, que ce soit dans la compr´e- hension des mod`eles de s´ecurit´eenjeu,oudanslespreuvesmath´ematiques de s´ecurit´e appliqu´ees `a des syst`emes bien pr´ecis. Malheureusement, le monde de la cryptographie sym´etrique reste clairement en retrait, bien que la situa- tion ´evolue lentement. Les algorithmes de chiffrement par blocs, ou par flot, tendent ainsia ` compenser leur manque de “s´ecurit´eprouv´ee” par d’autres atouts, tels qu’un d´ebit de chiffrement ´elev´e et une certaine facilit´e d’im- plantation. Dans la premi`ere moiti´e de cette th`ese, nous tentons d’ajouter une (mo- deste) brique `al’´edifice de la s´ecurit´eprouv´ee des algorithmes de chif- frement par blocs en analysant (th´eoriquement et exp´erimentalement) les m´ecanismes statistiques sous-jacents `alacryptanalyselin´eaire de Matsui ainsi qu’`adesmod`eles d’attaques plus abstraits. Pour atteindre ce but, nous interpr´etons le probl`eme comme un test d’hypoth`eses statistiques en utilisant notamment le paradigme de Neyman-Pearson. Nous g´en´eralisons ensuite le concept de distingueur lin´eaire et nous en discutons la puissance. Nous introduisons ´egalement le concept de distingueur s´equentiel, bas´esur l’´echantillonage s´equentiel, ainsi que celui de distingueura ` aggr´egats, qui permet de construire des distingueurs certes sub-optimaux, mais n´eanmoins efficaces. Finalement, nous proposons une s´erie de nouvelles attaques contre desversionsr´eduites de l’algorithme IDEA. Dans la seconde moiti´e, nous proposons une nouvelle famille d’algo- rithmes de chiffrement par blocs, baptis´ee FOX. Pour cela, nous ´etudions sur des architectures `abascoˆut l’efficacit´e de composants de diffusion opti- maux, et nous proposons plusieurs nouvelles constructions de matrices MDS. Enfin, nous d´ecrivons pr´ecis´ement FOX,nous´etudions sa s´ecurit´evis-`a-vis des attaques lin´eaires, diff´erentielles, int´egrales et alg´ebriques, et nous dis- cutons finalement les aspects li´es `a son implantation. v —vi— Contents Acknowledgments i Abstract iii R´esum´ev 1 Introduction 1 2 A Brief Overview of Block Ciphers 5 2.1Terminology............................ 5 2.1.1 BasicDefinitions..................... 5 2.1.2 GoodandBadBlockCiphers.............. 9 2.2ExamplesofBlockCiphers................... 10 2.2.1 DataEncryptionStandaard(DES)........... 10 2.2.2 IDEA........................... 20 2.2.3 AdvancedEncryptionStandard(AES)......... 23 2.2.4 ModesofOperation................... 26 2.3AttacksAgainstBlockCiphers................. 30 2.3.1 AttackModelsandTerminology............ 30 2.3.2 Black-BoxAttacks.................... 35 2.3.3 StatisticalAttacks.................... 39 2.3.4 IntegralAttacks..................... 48 2.3.5 AlgebraicAttacks.................... 49 2.3.6 OtherAttacks...................... 50 2.4SecurityModels.......................... 51 2.4.1 PerfectSecrecy...................... 52 2.4.2 Security against Bounded Adversaries . ...... 53 2.4.3 Ad-HocProofsofSecurity................ 55 vii — viii — 3 Statistical Cryptanalysis of Block Ciphers 57 3.1TheNeyman-PearsonParadigm................. 58 3.1.1 Likelihood-RatioTests.................. 59 3.1.2 GeneralizedLikelihood-RatioTests........... 61 3.2LinearCryptanalysisofDESRevisited............. 63 3.2.1 HistoricalPerspectives.................. 63 3.2.2 BasicAttack....................... 64 3.2.3 AnalysisofMatsui’sAttacks.............. 70 3.2.4 ImprovementofMatsui’sAttack............ 80 3.2.5 ImplementationofMatsui’sAttack........... 88 3.2.6 Summary......................... 95 3.3StatisticalModelizationofDistinguishers........... 96 3.3.1 Preliminaries....................... 96 3.3.2 Distinguishing Two Binary Random Sources . 99 3.3.3 OptimalLinearDistinguishers.............106 3.3.4 OptimalDifferentialDistinguishers...........108 3.3.5 GeneralizedLinearDistinguishers............111
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages281 Page
-
File Size-