Downloaded from orbit.dtu.dk on: Sep 23, 2021 Design and analysis of cryptographic algorithms Kölbl, Stefan Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Kölbl, S. (2017). Design and analysis of cryptographic algorithms. Technical University of Denmark. DTU Compute PHD-2016 No. 434 General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. stefan kölbl DESIGNANDANALYSISOFCRYPTOGRAPHIC ALGORITHMS DESIGNANDANALYSISOFCRYPTOGRAPHIC ALGORITHMS stefan kölbl Ph.D Thesis September 2016 Supervisor: Christian Rechberger Co-supervisor: Lars R. Knudsen Technical University of Denmark DTU Compute, Cyber Security Stefan Kölbl: Design and Analysis of Cryptographic Algorithms, © September 2016 Abstract In today’s world computers are ubiquitous. They can be found in virtually any industry and most households own at least one personal computer or have a mobile phone. Apart from these fairly large and complex devices, we also see computers on a much smaller scale appear in everyday objects in the form of micro-controllers and RFID chips. What truly transformed our society are large scale networks, like the In- ternet or mobile telephone networks, which can link billions of devices. Our ways of communicating and conducting business have severely changed over the last decades due to this development. However, most of this communica- tion happens over inherently insecure channels requiring methods to protect our communication. A further issue is the vast amount of data generated, which raises serious privacy concerns. Cryptography provides the key components for protecting our commu- nication. From securing our passwords and personal data to protecting mo- bile communication from eavesdroppers and our electronic bank transactions from manipulation. These applications would be impossible without cryptog- raphy. The main topic of this thesis is the design and security analysis of the most fundamental algorithms used in cryptography, namely block ciphers and cryptographic hash functions. These algorithms are the building blocks for a vast amount of applications and play a vital role in providing both confidentiality and integrity for our communication. This work is organized in two parts. First, an introduction to block ciphers and cryptographic hash functions is given to provide an overview over the state-of-the-art, the terminology, and how we can evaluate the security of an algorithm. The second part is a collection of scientific publications that have been written during the PhD studies and published. In the first publication we analyze the security of cryptographic hash func- tions based on the AES and demonstrate practical attacks on reduced-round versions of these algorithms. The second publication provides cryptanalysis of the lightweight block cipher SIMON in particular how resistant this type of block ciphers are against differential and linear cryptanalyis. In the fourth publication we present a short-input hash function utilizing AES-specific in- structions on modern CPUs in order to improve the performance of hash- based signature schemes. The last publication deals with the design of the tweakable lightweight block cipher Skinny which provides strong security bounds against differential and linear attacks while also competing with the performance of SIMON. v Resumé I nutidens verden er computere allestedsnærværende. De findes inden for en- hver industri, og de fleste husholdninger har mindst en personlig computer eller en mobiltelefon. Ud over disse forholdsvist store og komplekse enheder, begynder computere i en meget mindre skala også at dukke op i hverdagen i form af mikrocontrollere og RFID-chips. Det der for alvor har ændret vores samfund er netværk i stor skala, såsom Internettet eller mobilnetværker, som kan forbinde milliarder af enheder. Den måde hvorpå vi kommunikerer og gør forretning har ændret sig voldsomt de sidste par årtier, netop på grund af denne udvikling. Størstedelen af denne kommunikation foregår imidlertid over usikre kommunikationskanaler, hvor metoder til beskyttelse af kommunikationen er påkrævet. Derudover bliver store mænger data genereret, hvilket giver anledning til bekymringer om vores privatliv. Kryptologi leverer det centrale element i beskyttelsen af vores kommunika- tion. Fra sikring af passwords og personlig data, til forebyggelse af aflytning af mobilkommunikation og manipulation af bankoverførelser - uden krypto- logi ville alt dette være umuligt. Hovedemnet i denne afhandling er design og sikkerhedsanalyse af de mest fundamentale algoritmer, der bliver benyttet i kryptologi: block ciphers og kryptografiske hash funktioner. Disse algoritmer er byggesten i mange anven- delser og spiller en afgørende roller i at levere både fortrolig kommunikation og dataintegritet. Afhandlingen består af to dele. Første del giver en introduktion til block ciphers og kryptografiske hash funktioner med det formål at give et overblik over state-of-the-art, terminologien, og hvordan vi kan evaluere en algorit- mes sikkerhed. Den anden del er en samling af videnskabelige publikationer, der er blevet skrevet og udgivet under PhD-studiet. I den første publikation analyserer vi sikkerheden af kryptografiske hash funktioner baseret på AES og demonstrerer praktiske angreb på versioner af disse algoritmer med et reduceret antal runder. Den anden publikation inde- holder kryptoanalyse af letvægts block cipheren SIMON med fokus på hvor resistent denne type block cipher er over for differentiel og lineær kryptoana- lyse. I den fjerne publikation præsenterer vi en hash funktion med kort input, der benytter AES-specifikke instruktioner på moderne CPU’er for at forbed- re hash-baserede signatureres ydeevne. Den sidste publikation omhandler designet af en tweakable letvægts block cipher, Skinny, som giver stærke sikkerhedsgarantier mod differentiale og lineære angreb, men hvis ydeevne stadig er sammenlignelig med SIMONs ydeevne. vi Acknowledgments First of all, I would like to thank my supervisor Christian Rechberger for his guidance throughout my PhD studies, pointing out interesting research problems and making this three years of PhD a very enjoyable experience. I would also like to thank Lars R. Knudsen, my co-supervisor and head of the research group, who provided an excellent working environment and always had an open door. Thanks to all my co-workers at the DTU Cyber Security group: Mohamed Ahmed Abdelraheem, Hoda A. Alkhzaimi, Subhadeep Banik, Andrey Bog- danov, Christian D. Jensen, Martin M. Lauridsen, Arnab Roy, Elmar Tis- chhauser, Philip Vejre and our secretary Ann-Cathrin Dunker. Especially, to my PhD colleagues Martin, Philip and Tyge for all the interesting discussions on cryptography, life and other nonsense. I would also like to thank all the great people in the crypto community whom I met at conferences and helped broadening my knowledge. In par- ticular my co-authors: Ralph Ankele, Christof Beierle, Jérémy Jean, Martin M. Lauridsen, Gregor Leander, Florian Mendel, Amir Moradi, Tomislav Nad, Thomas Peyrin, Christian Rechberger, Arnab Roy, Yu Sasaki, Pascal Sasdrich, Martin Schläffer, Siang Meng Sim and Tyge Tiessen. I would also like to thank the members of the research group at NTU, especially my host Thomas Peyrin. I truly enjoyed working with all of you and had a great time in Singapore. Finally, I would like to thank all my friends in Austria and my family for all the support and encouragment. vii Contents i Symmetric Primitives 1 1 introduction3 2 block ciphers7 2.1 Applications 8 2.2 Security 8 2.2.1 Unconditional Security 8 2.2.2 Computational Security 9 2.2.3 Adversary Goals 10 2.2.4 Capabilities of the Attacker 10 2.3 Design 13 2.3.1 Feistel 13 2.3.2 Substitution Permutation Networks 15 2.4 Modes of Operation 16 2.4.1 Electronic Code Book 16 2.4.2 Cipher Block Chaining 17 2.4.3 Counter Mode 17 2.5 Tweakable Block Ciphers 18 3 hash functions 21 3.1 Applications 22 3.2 Security 23 3.2.1 Generic Attacks 24 3.3 Design 25 3.3.1 Merkle-Damgård construction 25 3.3.2 Compression Functions 27 3.3.3 Sponge construction 27 3.4 Hash-based Signature Schemes 30 3.4.1 Security Goals 30 3.4.2 One-time digital signatures 31 3.4.3 Merkle Signature Scheme 32 3.4.4 XMSS 33 3.4.5 Stateless Schemes 33 4 cryptanalysis 35 4.1 Meet-in-the-middle 35 4.1.1 Multiple Encryption 35 4.1.2 Preimages in a Sponge Construction 37 4.2 Differential Cryptanalysis 37 4.2.1 Key Recovery using a Differential Distinguisher 40 4.2.2 Truncated Differentials 41 ix x contents 4.2.3 Impossible Differentials 41 4.2.4 Structures 42 4.2.5 Collision Attacks for Hash Functions 42 4.2.6 Rebound Attack 43 bibliography 45 ii Publications 53 practical attacks on aes-like cryptographic hash func- tions 55 1 Introduction 57 1.1 Motivation 58 1.2 Contribution 59 1.3 Related Work 60 1.4