Cryptanalysis of Block Ciphers with New Design Strategies Mohamed Tolba A Thesis in The Concordia Institute for Information Systems Engineering Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy (Information Systems Engineering) at Concordia University Montreal, Quebec, Canada October 2017 ©Mohamed Tolba, 2017 CONCORDIA UNIVERSITY SCHOOL OF GRADUATE STUDIES This is to certify that the thesis prepared By: Mohamed Tolba Entitled: Cryptanalysis of Block Ciphers with New Design Strategies and submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Information Systems Engineering) complies with the regulations of the University and meets the accepted standards with re- spect to originality and quality. Signed by the final examining committee: Chair Dr. Theodore Stathopoulos External Examiner Dr. Huapeng Wu External to Program Dr. Anjali Agarwal Examiner Dr. Lingyu Wang Examiner Dr. Mohammad Mannan Thesis Supervisor Dr. Amr M. Youssef Approved by Dr. Chadi Assi, Graduate Program Director December 4th,2017 Dr. Amir Asif, Dean, Faculty of Engineering and Computer Science Abstract Cryptanalysis of Block Ciphers with New Design Strategies Mohamed Tolba, Ph.D. Concordia University, 2017 Block ciphers are among the mostly widely used symmetric-key cryptographic primitives, which are fundamental building blocks in cryptographic/security systems. Most of the public- key primitives are based on hard mathematical problems such as the integer factorization in the RSA algorithm and discrete logarithm problem in the DiffieHellman. Therefore, their security are mathematically proven. In contrast, symmetric-key primitives are usually not constructed based on well-defined hard mathematical problems. Hence, in order to get some assurance in their claimed security properties, they must be studied against different types of cryptanalytic techniques. Our research is dedicated to the cryptanalysis of block ciphers. In particular, throughout this thesis, we investigate the security of some block ciphers con- structed with new design strategies. These new strategies include (i) employing simple round function, and modest key schedule, (ii) using another input called tweak rather than the usual two inputs of the block ciphers, the plaintext and the key, to instantiate different permuta- tions for the same key. This type of block ciphers is called a tweakable block cipher, (iii) employing linear and non-linear components that are energy efficient to provide low energy consumption block ciphers, (iv) employing optimal diffusion linear transformation layer while following the AES-based construction to provide faster diffusion rate, and (v) using rather weak but larger S-boxes in addition to simple linear transformation layers to provide prov- iii able security of ARX-based block ciphers against single characteristic differential and linear cryptanalysis. The results presented in this thesis can be summarized as follows: Initially, we analyze the security of two lightweight block ciphers, namely, Khudra and Piccolo against Meet-in-the-Middle (MitM) attack based on the Demirci and Sel¸cuk approach exploiting the simple design of the key schedule and round function. Next, we investigate the security of two tweakable block ciphers, namely, Kiasu-BC and SKINNY. According to the designers, the best attack on Kiasu-BC covers 7 rounds. However, we exploited the tweak to present 8-round attack using MitM with efficient enu- meration cryptanalysis. Then, we improve the previous results of the impossible differential cryptanalysis on SKINNY exploiting the tweakey schedule and linear transformation layer. Afterwards, we study the security of new low energy consumption block cipher, namely, Midori128 where we present the longest impossible differential distinguishers that cover com- plete 7 rounds. Then, we utilized 4 of these distinguishers to launch key recovery attack against 11 rounds of Midori128 to improve the previous results on this cipher using the im- possible differential cryptanalysis. Then, using the truncated differential cryptanalysis, we are able to attack 13 rounds of Midori128 utilizing a 10-round differential distinguisher. We also analyze Kuznyechik, the standard Russian federation block cipher, against MitM with efficient enumeration cryptanalysis where we improve the previous results on Kuznyechik, using MitM attack with efficient enumeration, by presenting 6-round attack. Unlike the previous attack, our attack exploits the exact values of the coefficients of the MDS transformation that is used in the cipher. Finally, we present key recovery attacks using the multidimensional zero-correlation cryptanalysis against SPARX-128, which follows the long trail design strategy, to provide provable security of ARX-based block ciphers against single characteristic differential and linear cryptanalysis. iv Acknowledgments First and foremost, I would like to express my special appreciation and sincere gratitude to my supervisor, Dr. Amr Youssef, for his continuous support, motivation, patience, enthu- siasm, and knowledge that helped me to finish this work. His willingness to give his time so generously has been very much appreciated. I appreciate your invaluable advices you give me on both research and my career. Next, I would like to thank my colleagues in the CIISE Crypto Lab for their friendship and support. Special thanks to Ahmed Abdelkhalek for the long hours we spent together in discussing our research problems. Finally, many grateful thanks for my lovely wife for her love, support, and encouragement during my PhD study. Special thanks to my mother, my mother and father in-laws for their support, encouragement, and love. Mohamed Tolba v To my family for their love and support Table of Contents List of Figures ix List of Tables xi Chapter 1 Introduction 1 1.1 General Overview and Motivation ......................... 1 1.2 Thesis Contributions ................................ 4 Chapter 2 Background 6 2.1 Block Ciphers .................................... 6 2.1.1 Block Cipher Design ............................ 7 2.1.2 Block Cipher Evaluation .......................... 8 2.2 Block Cipher Security ............................... 9 2.2.1 Attack Models ............................... 10 2.2.2 Generic Attacks ............................... 10 2.3 Cryptanalytic Techniques ............................. 11 2.3.1 Differential Cryptanalysis ......................... 11 2.3.2 Linear Cryptanalysis ............................ 13 2.3.3 Differential-Linear Cryptanalysis ..................... 14 2.3.4 Higher-Order Differential Cryptanalysis ................. 15 2.3.5 Truncated Differential Cryptanalysis ................... 16 2.3.6 Integral Cryptanalysis ........................... 17 2.3.7 Impossible Differential Cryptanalysis ................... 17 2.3.8 Zero-Correlation Cryptanalysis ...................... 18 2.3.9 Basic Meet-in-the-Middle Cryptanalysis ................. 19 2.3.10 3-Subset MitM Cryptanalysis ....................... 21 2.3.11 Splice-and-Cut Cryptanalysis ....................... 22 2.3.12 Multidimensional MitM and Generalized MitM Cryptanalysis . 23 2.3.13 Plain MitM and MitM with Efficient Enumeration Cryptanalysis . 23 2.3.14 Biclique Cryptanalysis ........................... 25 vii 2.3.15 Unbalanced Biclique Cryptanalysis .................... 26 2.3.16 Invariant Subspace Cryptanalysis ..................... 27 Chapter 3 MitM Attacks on Khudra and Piccolo 29 3.1 Introduction .................................... 29 3.2 Plain MitM Attack on Khudra .......................... 30 3.2.1 Specifications of Khudra .......................... 30 3.2.2 A MitM Attack on 13-Round Khudra ................... 32 3.2.3 A MitM Attack on 14-Round Khudra ................... 35 3.3 Plain MitM Attack on Piccolo ........................... 36 3.3.1 Specifications of Piccolo .......................... 38 3.3.2 A MitM Attack on 14-Round Piccolo-80 ................. 41 3.3.3 A MitM Attack on 16-Round Piccolo-128 ................. 46 3.3.4 A MitM Attack on 17-Round Piccolo-128 ................. 48 3.4 Conclusion ..................................... 50 Chapter 4 A MitM with Efficient Enumeration Attack on Kiasu-BC 52 4.1 Introduction .................................... 52 4.2 Specifications of Kiasu-BC ............................. 53 4.3 A MitM Attack on 8-Round Kiasu-BC ...................... 54 4.4 Conclusion ..................................... 58 Chapter 5 Impossible Differential Cryptanalysis of SKINNY 59 5.1 Introduction .................................... 59 5.2 Specifications of SKINNY ............................. 61 5.3 An Impossible Differential Distinguisher of SKINNY .............. 64 5.4 Impossible Differential Key-recovery Attack on 20-round SKINNY-n-2n . 65 5.4.1 Impossible Differential Key-recovery Attack on SKINNY-64-128 .. 65 5.4.2 Impossible Differential Key-recovery Attack on SKINNY-128-256 . 72 5.5 Impossible Differential Key-recovery Attack on 18-round SKINNY-n-n . 74 5.6 Impossible Differential Key-recovery Attack on 22-round SKINNY-n-3n . 75 5.7 Conclusion ..................................... 76 Chapter 6 Cryptanalysis of Midori128 77 6.1 Introduction .................................... 78 6.2 Specifications of Midori128 ............................ 80 6.3 Improved Multiple Impossible Differential Cryptanalysis of Midori128 . 83 6.3.1 7-round Impossible Differential Distinguishers of Midori128 . 83 6.3.2 11-round Multiple Impossible Differential of Midori128 ......... 86 viii 6.4 Truncated and Multiple Differential