Security Arguments and Tool-based Design of Block Ciphers Security Arguments and Tool-based Design of Block Ciphers Dissertation Thesis Friedrich Wiemer 16th August 2019 Submitted in partial fulfillment of the requirements for the degree of Doktor der Naturwissenschaften to the Faculty of Mathematics at Ruhr-Universität Bochum 1st Reviewer Prof. Dr. Gregor Leander 2nd Reviewer Prof. Dr. Alexander May Date of Defense 13th December 2019 IMPRINT Security Arguments and Tool-based Design of Block Ciphers Copyright © 2020 by Friedrich Wiemer. All rights reserved. Printed in Germany. Published by the Ruhr-Universität Bochum, Bochum, Germany. COLOPHON This thesis was typeset using LATEX and the memoir documentclass. It is based 1 1https://people.mpi-sws.org/ on Aaron Turon’s thesis Understanding and expressing scalable concurrency , ~turon/turon-thesis.pdf itself a mixture of classicthesis2 by André Miede and tufte-latex3, 2 https://bitbucket.org/amiede/ based on Edward Tufte’s Beautiful Evidence. The LATEX source is available on classicthesis/ GITHUB.4 3https://github.com/Tufte-LaTeX/ tufte-latex The bibliography was processed by Biblatex. All graphics and plots are made 4https://github.com/pfasante/phd_ with PGF/TikZ. thesis The body text is set 10/14pt (long primer) on a 26pc measure. The margin text is set 8/9pt (brevier) on a 12pc measure. Matthew Carter’s Charter acts as both the text and display typeface. Monospaced text uses Jim Lyles’s Bitstream Vera Mono (“Bera Mono”). If we knew what it was we were doing, it would not be called research, would it? —Albert Einstein Abstract Block ciphers form, without doubt, the backbone of today’s encrypted com- munication and are thus justifiably the workhorses of cryptography. While the efficiency of modern designs improved ever since the development of the DES and AES, the case with the corresponding security arguments dif- fers. The thesis at hand aims at two main points, both in the direction of improving security analysis of block ciphers. Part I studies a new notion for a better understanding of a special type of cryptanalysis and proposes a new block cipher instance. This instance comes with a tight bound on any differential, to the best of our knowledge the first such block cipher. Part II turns to automated methods in design and analysis of block ciphers. Our main contribution here is an algorithm to propagate subspaces through encryption rounds, together with two applications: an algorithmic security argument against a new type of cryptanalysis and an idea towards the automation of key recovery attacks. vii Zusammenfassung Blockchiffren bilden ohne Zweifel das Rückgrat unserer heutigen digitalen Kommunikation und werden somit zu Recht als Arbeitstier der Kryptographie bezeichnet. Während die Effizienz neuer Chiffren stetig steigt, gilt dies nur bedingt für deren Sicherheitsargumente. Die vorliegende Arbeit beschäftigt sich daher mit zwei Hauptthemen. In Teil I untersuchen wir eine neue Notation einer speziellen Kryptanalyse- Technik und geben neue theoretische Einsichten zu dieser. Außerdem kon- struieren wir eine Blockchiffre und zeigen scharfe Schranken für jedes Dif- ferential; nach bestem Wissen die erste solche Chiffre. In Teil II wenden wir uns algorithmischen Methoden für Design und Analyse von Blockchiffren zu. Der Hauptbeitrag ist ein Algorithmus um Un- terräume durch Chiffren-Runden zu propagieren. Abschließend diskutieren wir zwei Anwendungen: ein Sicherheitsargument für eine neue Kryptanalyse- Technik und einen Ansatz zur Automatisierung von Key Recovery-Angriffen. ix Contents ABSTRACT vii ZUSAMMENFASSUNG ix CONTENTS xi LIST OF ALGORITHMS xiii LIST OF FIGURES xiii LIST OF TABLES xiv ACKNOWLEDGMENTS xv I PROLOGUE 1 1 INTRODUCTION 3 1.1 Open Problems in Block Cipher Design . 4 1.2 Outline and Contributions . 6 1.3 Publications . 9 2 THE ART AND SCIENCE OF BLOCK CIPHER DESIGN 13 2.1 Basics and Notations . 13 2.2 Pseudorandom Permutations and Block ciphers . 16 2.3 Practical Security – Symmetric Cryptanalysis . 27 2.4 Boolean functions . 45 II SECURITY ARGUMENTS FOR BLOCK CIPHERS 53 3 ON AUTOCORRELATION TABLES 55 3.1 On the DLCT and ACT . 55 3.2 Lower bound on the absolute indicator . 61 4 INSTANTIATING THE WSN CONSTRUCTION 71 4.1 Introduction . 71 4.2 The Whitened Swap-or-Not construction . 74 4.3 Inherent Restrictions . 74 4.4 Differential Cryptanalysis of BISON-like instances . 79 4.5 Specification of BISON ......................... 85 4.6 Security Analysis of BISON ...................... 87 4.7 Implementation Aspects of BISON .................. 94 4.8 Specification of WISENT ........................ 95 4.9 Conclusion . 99 III AUTOMATED METHODS IN DESIGN AND ANALYSIS 101 5 HEURISTICS FOR XOR COUNTS 103 5.1 Introduction . 103 xi xii CONTENTS 5.2 MDS Matrices and Matrix Constructions . 105 5.3 XOR counts and Optimisation Strategies . 109 5.4 Application and Evaluation of the Heuristics . 113 5.5 Further work . 117 6 PROPAGATING TRUNCATED DIFFERENTIALS 123 6.1 Introduction . 123 6.2 Subspace Trails and Truncated Differentials . 126 6.3 Algorithmic Propagation of Differences . 128 6.4 Proving Resistance against Subspace Trail Attacks . 131 6.5 Open Problems . 139 6.6 Further work . 142 7 TOWARDS AUTOMATED KEY RECOVERY ATTACKS 143 7.1 Key Recovery Techniques . 143 7.2 Key Recovery by Example . 145 7.3 Algorithms for Key Recovery . 147 7.4 Future Work . 152 IV EPILOGUE 153 8 CONCLUSION 155 BIBLIOGRAPHY 157 List of Algorithms 1 Computation of subspace trails . 130 2 Computation of subspace trails for degree-two functions . 130 3 No Non-Trivial Linear Structures . 134 4 Generic Subspace Trail Search . 138 5 Basic Counting Key Recovery . 144 6 Computation of truncated differentials . 148 7 Naïve Dependencies Check . 150 List of Figures 2.1 Multiplication using a vector space isomorphism . 16 2.2 Modes of Operation . 22 2.3 Product cipher . 23 2.4 Key-Alternating Substitution Permutation Network . 24 2.5 One round of a Feistel network . 25 2.6 Generic key recovery strategy based on distinguisher . 28 4.1 Schematic view of the WSN construction. 74 4.2 Tree of possible output differences . 83 4.3 Number of BISON rounds needed to achieve full degree . 91 4.4 Behaviour of BISON’s algebraic degree . 91 4.5 Non-Linear Feedback Shift Register . 91 4.6 BISON’s DDT for n = 5.......................... 94 4.7 WISENT’s DDT for n = 6......................... 97 5.1 Correlations between naïve and BP XOR counts . 116 5.2 XOR count distributions for 4 4 MDS matrices over GL(4, F2) . 121 × 6.1 Graphical representation of Lemma 127. 127 6.2 Invariant subspaces vs. Subspace Trails . 135 7.1 Example Key Recovery . 146 xiii List of Tables 4.1 Benchmarking BISON ........................... 95 4.2 Benchmarking WISENT .......................... 98 5.1 XOR count distributions for optimised implementations . 115 5.2 MDS matrices with lowest known XOR count . 116 5.3 Comparison of 4 4 and 8 8 MDS matrices . 119 5.4 Comparison of matrices× used× in ciphers or hash functions . 120 6.1 Lengths of longest subspace trails without 1-linear structures . 135 6.2 Lengths of longest subspace trails with 1-linear structures . 138 6.3 Lengths of longest truncated differentials for Feistel Ciphers . 140 7.1 The 4-bit S-box used in PRESENT. 145 7.2 Exemplary I(α) ..............................152 xiv Acknowledgements “The acknowledgements section is the most interesting part of any thesis. It shows how Over three years have come and gone since I started my doctoral studies. the thesis emerged.” During my time at the HGI in Bochum, I had the great pleasure to work with —Thomas Pöppelmann many awesome colleagues. My biggest thanks go to Gregor for being the best boss I could imagine, for always supporting me with his advice, for setting up the great SymCrypt group, for lots of fun while sailing and for so many other things. I am looking forward, sailing to new directions not only in Symmetric Crypto with you – may you always have wind in your sails and a hand-width of water under your keel! Thank you, Alex, for (co-) reviewing and advising my theses, the PhD one and the master and bachelor ones, for always having a friendly ear for all kind of discussions and for all the advice ever since my bachelor. Marion, thank you for being our organisational mastermind, for helping out in every possible situation and for answering every (lazy) question – I will never forget the moment when I entered your office the first time, completely breathless after sprinting up all the stairs in NA to be on time. But many other people were and are responsible for having this great atmosphere at the whole crypto group and the HGI. To start with, many thanks to my direct office mates, Christof and Thorsten, Virginie, and Phil, for always being open for discussions, distractions and darts, for welcoming me in the group and for being wonderful collaborators. The same holds for the other members of the SymCrypt group, Vincent, Shahram, Marek, and Federico C., the remaining Wasserstraße-crew, Andre, der kleine Alex, Claire, Felix, Floyd, Matthias, Lars, Robert and Oleg, and also for the NA- “remainers”, Eike, Nils, Anja, Benedikt, Manuel, Federico G., Kathrin, Julian, Eduard, Bertram, Giorgia, Clara, Lisa, Kristina and Sebastian. Some of you found the time to check my thesis; thank you Christof, Felix, Shahram! Also thank you Lucas Hartmann and Phil Knüfer for proof-reading some parts. Most of my research evolved from teamwork with great coauthors. In a somewhat chronological sequence, thank you very much for the pleasant collaboration: Ralf, Elena, Alex (der große), Thorsten, Gregor, Ko Stoffelen, Cihangir Tezcan, Anne Canteaut, Virginie, Patrick Neumann, Lorenzo Grassi, Christian Rechberger and Lukas Kölsch. Also thanks to Peter Schwabe for helping out with benchmarks from time to time. Last but not least, a huge thank you to my family, my parents (-in-law), my wife Franziska and our little pirate Jonathan, for the great support at all times, for the understanding of sometimes unearthly working hours and for repeatedly showing me the important things in life.