Design and Analysis of Symmetric Cryptographic Algorithms

Design and Analysis of Symmetric Cryptographic Algorithms

Analysis and Design of Symmetric Cryptographic Algorithms Jean-Philippe Aumasson October 23, 2009 Abstract This thesis is concerned with the analysis and design of symmetric cryptographic algorithms, with a focus on real-world algorithms. The first part describes original cryptanalysis results, including: The first nontrivial preimage attacks on the (reduced) hash function MD5, and on the full • HAVAL. Our results were later improved by Sasaki and Aoki, giving a preimage attack on the full MD5. The best key-recovery attacks so far on reduced versions of the stream cipher Salsa20, se- • lected by the European Network of Excellence ECRYPT as a recommendation for software applications, and one of the two ciphers (with AES) in the NaCl cryptographic library. The academic break of the block cipher MULTI2, used in the Japanese digital-TV standard • ISDB. While MULTI2 was designed in 1988, our results are the first analysis of MULTI2 to appear as an international publication. We then present a general framework for distinguishers on symmetric cryptographic algorithms, based on the cube attacks of Dinur and Shamir: our cube testers build on algebraic property- testing algorithms to mount distinguishers on algorithms that possess some efficiently testable structure. We apply cube testers to some well known algorithms: On the compression function of MD6, we distinguish 18 rounds (out of 80) from a random • function. On the stream cipher Trivium, we obtain the best distinguisher known so far, reaching • 885 rounds out of 1152. On the stream cipher Grain-128, using FPGA devices to run high-complexity attacks, we • obtain the best distinguisher known so far, and can conjecture the existence of a shortcut attack on the full Grain-128. These results were presented at FSE 2008, SAC 2008, FSE 2009, and SHARCS 2009. The second part of this thesis presents a new hash function, called BLAKE, which we submitted to the NIST Hash Competition. Besides a complete specification, we report on our implemen- tations of BLAKE in hardware and software, and present a preliminary security analysis. As of August 2009, BLAKE is one of the 14 submissions accepted as Second Round Candidates by NIST, and no attack on BLAKE is known. Keywords: cryptanalysis, cryptography, , hash functions, stream ciphers, block ciphers i ii R´esum´e Cette th`ese pr´esente de nouvelles attaques sur plusieurs algorithmes de cryptographie sym´etrique utilis´es en pratique, dont: Les premi`eres attaques non-triviales d’inversion de la fonction de hachage MD5 (r´eduite). • Nos r´esultats ont depuis ´et´eam´elior´es par Sasaki et Aoki, culminant avec une attaque sur la version compl`ete de MD5 Les meilleures attaques sur le stream cipher Salsa20, r´ecemment s´electionn´epar le r´eseau • d’excellence europ´een ECRYPT comme recommandation pour les applications software. Des attaques sur la version compl`ete MULTI2, le block cipher utilis´epar le standard • japonais de t´el´evision num´erique (ISDB). Depuis la creation de MULTI2 en 1988, aucune analyse de MULTI2 n’a ´et´epubli´ee. Nous pr´esentons ensuite une nouvelle classe de m´ethodes alg´ebriques (nomm´ee cube testers) pour distinguer un algorithme sym´etrique d’un algorithme “id´ealement pseudo-al´eatoire”, `a partir des cube attacks de Dinur et Shamir et d’algorithmes de test de propri´et´es alg´ebriques. Plusieurs applications des cube testers sont pr´esent´ees: A` la fonction de compression de MD6: nous d´etectons des propri´et´es sur au plus 18 rounds; • en comparaison, les cube attacks atteignent 15 rounds. Au stream cipher Trivium, avec un distingueur sur 885 rounds, contre 771 pour la pr´ecedente • meilleure attaque, et 1152 dans la version compl`ete. Au stream cipher Grain-128, en utilisant une impl´ementation sur des FPGA, nous obtenons • les meilleures attaques connues. Ces r´esultats ont ´et´epresent´es `aFSE 2008, SAC 2008, FSE 2009, et SHARCS 2009. La seconde partie de cette th`ese est consacr´ee `aBLAKE, la fonction de hachage que nous avons soumise `ala NIST Hash Competition. Apr`es une sp´ecification compl`ete, nous pr´esentons nos impl´ementations hardware et software, et une analyse pr´eliminaire de l’algorithme. Jusqu’`a aujourd’hui (aoˆut 2009), aucune attaque contre BLAKE n’a ´et´epubli´ee. Mots cl´es: cryptanalyse, cryptographie, fonctions de hachage, stream ciphers, block ciphers iii iv Contents 1 Introduction 1 1.1 Hash Functions and Stream Ciphers in 2009 ..................... 2 1.2 Overview ........................................ 3 2 Background 5 2.1 Notations ........................................ 5 2.2 Formal Definitions ................................... 5 2.2.1 Stream Ciphers ................................. 6 2.2.2 Block Ciphers .................................. 6 2.2.3 Hash Functions ................................. 7 2.3 Constructing Hash Functions ............................. 7 2.3.1 Merkle-Damg˚ard Hash ............................. 7 2.3.2 Modern Constructions ............................. 8 2.3.3 Hashing with Block Ciphers .......................... 9 2.4 On Cryptanalytic Attacks ............................... 10 3 The Cryptanalyst’s Toolbox 13 3.1 Bruteforce Search .................................... 13 3.1.1 Multi-Target and Parallel Bruteforce ..................... 13 3.1.2 In Practice ................................... 13 3.2 Differential Cryptanalysis ............................... 14 3.2.1 Differences and Differentials .......................... 14 3.2.2 Finding Good Differentials .......................... 15 3.2.3 Using Differentials ............................... 16 3.2.4 Message Modification Techniques ....................... 17 3.2.5 Advanced Differential Attacks ......................... 17 3.3 Efficient Black-Box Collision Search ......................... 18 3.3.1 Tails and Cycles ................................ 18 3.3.2 Cycle Detection Based Methods ....................... 19 3.3.3 Parallel Search with Distinguished Points .................. 20 3.3.4 Application to Meet-in-the-Middle ...................... 20 3.4 Multicollision Search for Iterated Hashes ....................... 21 3.4.1 Fixed Points .................................. 21 3.4.2 Joux’s Method ................................. 22 3.4.3 Kelsey and Schneier’s Method ......................... 22 3.4.4 Faster Multicollisions ............................. 23 3.5 Quantum Attacks .................................... 24 v I Cryptanalysis 27 4 Preimage Attacks on the Hash Functions MD5 and HAVAL 29 4.1 Description of MD5 and HAVAL ........................... 29 4.1.1 The Compression Function of MD5 ...................... 30 4.1.2 The Compression Function of HAVAL .................... 31 4.2 Preimage Attacks on the Compression Function of MD5 .............. 32 4.2.1 Preimage Attack on 32 Steps ......................... 32 4.2.2 Preimage Attack on 45 Steps ......................... 34 4.2.3 Preimage Attack on 47 Steps ......................... 36 4.3 Preimage Attacks on the Compression Function of HAVAL ............ 36 4.3.1 Preimage Attack A ............................... 37 4.3.2 Preimage Attack B ............................... 38 4.4 Extension to the Hash Functions ........................... 38 4.5 Conclusion ....................................... 40 5 Key-Recovery Attacks on the Stream Ciphers Salsa20 and ChaCha 41 5.1 Salsa20 and ChaCha .................................. 41 5.1.1 Salsa20 ..................................... 41 5.1.2 ChaCha ..................................... 42 5.2 The PNB Technique .................................. 43 5.3 Key Recovery on Salsa20 ............................... 45 5.4 Key Recovery on ChaCha ............................... 46 5.5 Conclusion ....................................... 46 6 Cryptanalysis of the ISDB Scrambling Algorithm MULTI2 47 6.1 Description of MULTI2 ................................ 47 6.2 Related-Key Guess-and-Determine Attack ...................... 51 6.3 Linear Cryptanalysis .................................. 52 6.4 Related-Key Slide Attack ............................... 52 6.5 Conclusion ....................................... 54 7 Cube Testers 55 7.1 Introduction to Cube Attacks ............................. 55 7.2 Cube Testers ...................................... 59 7.2.1 Preliminaries .................................. 59 7.2.2 Building on Algebraic Property Testing ................... 61 7.3 Application to MD6 and Trivium ........................... 64 7.3.1 MD6 ....................................... 64 7.3.2 Trivium ..................................... 67 7.4 Application to Grain-128 and Grain-v1 ........................ 68 7.4.1 Brief Description of Grain-128 ........................ 69 7.4.2 Software Bitsliced Implementation ...................... 69 7.4.3 Hardware Parallel Implementation ...................... 70 7.4.4 Evolutionary Search for Good Cubes ..................... 72 7.4.5 Experimental Results and Extrapolation ................... 74 7.4.6 Observations on Grain-v1 ........................... 75 7.5 Conclusion ....................................... 76 vi II Design of the Hash Function BLAKE 77 8 Preliminaries 79 8.1 Design Principles .................................... 80 8.2 Expected Strength ................................... 81 8.3 On Hashing with a Salt ................................ 81 9 Specification 83 9.1 BLAKE-32 ....................................... 83 9.1.1 Constants .................................... 83 9.1.2 Compression Function ............................. 83 9.1.3 Hashing a Message ............................... 86

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    141 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us