Downloaded from orbit.dtu.dk on: Dec 21, 2017 Design and Analysis of Symmetric Primitives Lauridsen, Martin Mehl; Rechberger, Christian; Knudsen, Lars Ramkilde Publication date: 2016 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Lauridsen, M. M., Rechberger, C., & Knudsen, L. R. (2016). Design and Analysis of Symmetric Primitives. Kgs. Lyngby: Technical University of Denmark (DTU). (DTU Compute PHD-2015; No. 382). General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. Design and Analysis of Symmetric Primitives Martin M. Lauridsen August 2015 Advisor: Christian Rechberger Co-advisor: Lars R. Knudsen Technical University of Denmark Department of Applied Mathematics and Computer Science ISSN: 0909-3192 Serial no.: PHD-2015-382 Til mine forældre Abstract The subject of this thesis is the study of symmetric cryptographic primitives. We investigate these objects from three different perspectives: cryptanalysis, design and implementation aspects. The first part deals with cryptanalysis of symmetric primitives, where one tries to leverage a property of the design to achieve some adversarial goal. Two of the most successful types of cryptanalysis are differential- and linear attacks. We apply variants of differential cryptanalysis to the lightweight block cipher SIMON which was proposed by researchers from the National Security Agency (NSA) in 2013. In particular, we present a search heuristic to find differentials of high probability, and we investigate the clustering of characteristics known as the differential effect. Finally, we apply impossible differential attacks using truncated differentials to a number of SIMON variants. Next, we define a theoretical model for key-less linear distinguishers, which captures the meaning of distinguishing a block cipher from an ideal permutation using linear cryptanalysis, when the key is either known or chosen by the adversary. Such models exist using differential properties but were never before defined using linear cryptanalysis. We apply this model to the standardized block cipher PRESENT. Finally, we present very generic attacks on two authenticated encryption schemes, AVALANCHE and RBS, by pointing out severe design flaws that can be leveraged to fully recover the secret key with very low complexity. In the second part, we delve into the matter of the various aspects of designing a symmet- ric cryptographic primitive. We start by considering generalizations of the widely acclaimed Advanced Encryption Standard (AES) block cipher. In particular, our focus is on a component operation in the cipher which permutes parts of the input to obtain dependency between the state bits. With this operation in focus, we give a range of theoretical results, reducing the possible choices for the operation in generalized ciphers to a particular set of classes. We then employ a computer-aided optimization technique to determine the best choices for the operation in terms of resistance towards differential- and linear cryptanalysis. Also in the vein of symmetric primitive design we present PRØST, a new and highly secure permutation. Employing existing third-party modes of operation, we present six proposals based on PRØST for the ongoing CAESAR competition for authenticated encryption with associated data. We describe the design criteria, the usage modes and give proofs of security. Finally, in the third part, we consider implementation aspects of symmetric cryptography, with focus on high-performance software. In more detail, we analyze and implement modes recom- mended by the National Institute of Standards and Technology (NIST), as well as authenticated encryption modes from the CAESAR competition, when instantiated with the AES. The data pro- cessed in our benchmarking has sizes representative to that of typical Internet traffic. Motivated by a significant improvement to special AES instructions in the most recent microarchitecture iii iv ABSTRACT from Intel, codenamed Haswell, our implementations are tailored for this platform. Finally, we introduce the comb scheduler which is a low-overhead look-ahead strategy for processing multiple messages in parallel. We show that it significantly increases the throughput for sequential modes of operation especially, but also for parallel modes to a lesser extent. Resumé Emnet for denne afhandling er analyse af symmetriske kryptografiske primitiver. Vi studerer disse objekter fra tre forskellige perspektiver: kryptoanalyse, design, samt implementeringsaspekter. Den første del handler om kryptoanalyse af symmetriske primitiver, hvor man forsøger at udnytte en egenskab i designet til at opnå et mål som strider med sikkerheden. De to mest succesfulde typer af kryptoanalyse er differentielle- og lineære angreb. Vi benytter varianter af differentiel kryptoanalyse på block cipheret SIMON, som blev fremsat af forskere fra National Security Agency (NSA) i år 2013. Vi giver en søgeheuristik som finder differentialer af høj sandsynlighed, og vi undersøger grupperingen af karakteristikker kendt som differentiel-effekten. Endelig fremstiller vi på baggrund af trunkerede differentialer angreb på adskillige varianter af SIMON med umulige differentialer. Derefter definerer vi en teoretisk model for nøgle-løse lineære distinguishers, som indfanger begrebet at skelne mellem et block cipher og en ideel permutation ved brug af lineær kryptoanalyse, når nøglen enten er kendt eller valgt af angriberen. Sådanne modeller som gør brug af differentielle egenskaber eksisterer allerede, men er aldrig før blevet defineret ved brug af lineær kryptoanalyse. Vi anvender denne model på det standardiserede block cipher PRESENT. Endelig fremsætter vi generiske angreb på to autentificerede krypteringssystemer, AVALANCHE og RBS, ved at påpege alvorlige designfejl som kan udnyttes til fuldstændigt at bestemme den hemmelige nøgle med meget lav kompleksitet. I den anden del dykker vi ned i forskellige design perspektiver af symmetriske kryptografiske primitiver. Vi starter med at undersøge generaliseringer af det bredt anerkendte Advanced Encryption Standard (AES) block cipher. Navnligt er vores fokus på en operation i AES som permuterer dele af inputtet for at opnå en afhængighed mellem bits i krypteringstilstanden. Med denne operation i fokus giver vi en række teoretiske resultater, som reducerer de mulige valg af operationer i generaliserede ciphers til en række bestemte klasser. Vi bruger dernæst en computerstyret optimiseringsteknik til at bestemme det bedste valg af operation hvad angår modstandsdygtigheden overfor differentiel- og lineær kryptoanalyse. Også i designretningen præsenterer vi PRØST, en ny permutation af høj sikkerhed. Ved brug af eksisterende tredjeparts operationsmodi giver vi seks forslag baseret på PRØST til den igangværende CAESAR konkurrence for autentificeret kryptering med tilhørende data. Vi beskriver designkriterier, anvendelsesmodi og beviser for sikkerheden. Endelig, i tredje del studerer vi implementeringsaspekter af symmetrisk kryptering med fokus på software af høj ydeevne. Navnligt analyserer og implementerer vi modi anbefalet af National Institute of Standards and Technology (NIST), såvel som modi til autentificeret kryptering fra CAESAR konkurrencen, når disse er instantieret med AES som det underliggende block cipher. Den behandlede data i vores benchmarkings har størrelser som er repræsentative for typisk v vi RESUMÉ internet traffik. Motiveret af en signifikant forbedring af specielle AES instruktioner i den seneste mikroarkitektur fra Intel med kodenavnet Haswell, er vores implementeringer skræddersyet til denne platform. Afslutningsvis introducerer vi comb scheduleren som anvender en look-ahead strategi af lav overhead til parallelt at processere flere datastrømme. Vi viser at dette giver en betydelig forøgning af throughput for sekventielle modi især, men også for paralleliserbare modi til en mindre grad. Acknowledgments First and foremost, I wish to thank my supervisor Christian Rechberger, and my co-supervisor Lars R. Knudsen. Your good spirits and relaxed approach to supervision made my past three years a truly enjoyable experience. My thanks go also to Søren S. Thomsen, my first tutor during my Master’s studies, and to Gregor Leander, who was my supervisor before leaving me in Christian’s care. Your inspiration played a crucial role in sparking my interest for cryptology. I also thank Anne Canteaut and Thomas Johansson for joining my committee, and Peter Beelen for chairing it. For the first year of my studies, I was fortunate to be part of the Danish-Chinese Center for Applications of Algebraic Geometry in Coding Theory and Cryptography. During this time I had the opportunity to discuss many topics outside my own area of research. Many thanks go to the whole team for our endeavors around Shanghai, and