This document is downloaded from DR‑NTU (https://dr.ntu.edu.sg) Nanyang Technological University, Singapore. Cryptanalysis and design of lightweight symmetric‑key cryptography Sim, Siang Meng 2018 Sim, S. M. (2018). Cryptanalysis and design of lightweight symmetric‑key cryptography. Doctoral thesis, Nanyang Technological University, Singapore. http://hdl.handle.net/10356/74160 https://doi.org/10.32657/10356/74160 Downloaded on 26 Sep 2021 17:05:46 SGT CRYPTANALYSIS AND DESIGN OF LIGHTWEIGHT SYMMETRIC-KEY CRYPTOGRAPHY SIM SIANG MENG 2017 CRYPTANALYSIS AND DESIGN OF LIGHTWEIGHT SYMMETRIC-KEY CRYPTOGRAPHY SIM SIANG MENG School of Physical and Mathematical Sciences 2017 CRYPTANALYSIS AND DESIGN OF LIGHTWEIGHT SYMMETRIC-KEY CRYPTOGRAPHY SIM SIANG MENG SIM SIANG MENG School of Physical and Mathematical Sciences A thesis submitted to the Nanyang Technological University in partial fulfilment of the requirement for the degree of Doctor of Philosophy 2017 To my wife. Acknowledgements First of all, I would like to express my deepest gratitude to my supervisor Prof Thomas Peyrin for his great guidance and mentoring. His insightful thoughts, endless research ideas and passion in symmetric-key cryptography is a true inspiration. There is not a single day that I am bored of doing cryptographic researches. Despite his busy schedule, he will always try his best to make time for discussion even at very short notice. I would also like to thank him for his unconditional support for me to attend conferences, workshops, summer school and overseas attachment. He is a great supervisor, mentor, friend and tennis rival. I would not have started my doctoral research in NTU if not for Prof KHOO Khoongming, supervisor for my undergraduate final year project (FYP). His guidance and enthusiasm in cryptography motivated me to pursue my doctoral research. It is also him who had introduced me to Thomas. I would like to thank Prof WANG Huaxiong for being my FYP co- supervisor and giving valuable advices; and Prof WU Hongjun for introducing me to cryptography during my undergraduate and guiding me through my first undergraduate research work on cryptography. Many thanks to Yu Sasaki for several reasons. During his visit to NTU, he initiated countless discussions and research topics, where I learnt and benefited a lot from his vast knowledge and experiences. Greatly appreciate his help for arranging my overseas attachment and mentoring me at Nippon Telegraph and Telephone Corporation (NTT). My stay in Japan was a pleasant experience thanks to him being a great mentor, host and translator. I am grateful to have GUO Jian, WANG Lei, Jérémy Jean, Ivica Nikolić, LIU Meicheng, Pierre Karpman, Sumit Kumar Pandey, Mohona Ghosh, Mustafa Khairallah, WANG Haoyang, Vesselin Velichkov, Zakaria Najm and many other past and present researchers sharing lab SPMS-MAS-04-01 as labmates. Discussing research works, going for lunch together, sharing and learning each other’s home culture are priceless memories for me. I am delighted to meet Kan Yasuda, Yosuke Todo, Akinori Hosoyamada and many other people in NTT during my overseas attachment in September 2016. I truly enjoyed the experience and looking forward to visit NTT again in the future. I would like to thank all my co-authors, Ralph Ankele, Subhadeep Banik, Christof Beierle, Avik Chakraborti, GUO Jian, Jérémy Jean, KHOO Khoong- ming, Stefan Kölbl, Gregor Leander, Eugene Lee, Eik List, LIU Meicheng, Florian Mendel, Amir Moradi, Ivica Nikolić, Frédérique Oggier, Sumit Kumar i ii Pandey, Thomas Peyrin, QIAO Kexin, Sumanta Sarkar, Yu Sasaki, Pascal Sasdrich, Jacob Teo, Yosuke Todo, Dylan Toh, Jade Tourteaux, WANG Gaoli, WANG Lei and ZHANG Guoyan. I have learnt a lot from them through working and collaboration with them. My gratitude to my parents and my brother for their support and believing in me. Sincere thanks to my wonderful wife for her understanding and undivided love. Last but not least, special thanks to the Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06) for partially funding my doctoral research. SIM Siang Meng March, 2018 Contents Acknowledgementsi Abstract vii List of Works ix List of Symbols xi List of Abbreviations xiii Background1 1 Introduction3 1.1 Cryptology ........................... 3 1.1.1 What is cryptology? .................. 3 1.1.2 Symmetric-key and public-key cryptography..... 4 1.1.3 Types of security analysis ............... 5 1.2 Symmetric-key Cryptography ................. 6 1.2.1 Overview of block ciphers ............... 6 1.2.2 Cryptanalysis of encryption algorithms........ 8 1.2.3 Other symmetric-key cryptographic primitives . 12 1.3 Lightweight Cryptography................... 15 1.3.1 Brief history on conventional cryptography . 16 1.3.2 Rise of lightweight cryptography............ 17 1.4 About this Thesis........................ 19 1.4.1 Overview ........................ 19 1.4.2 Organisation of this thesis............... 20 2 Preliminaries 23 2.1 Mathematical Background................... 23 2.1.1 Matrix notation and properties ............ 23 2.1.2 Finite field notation and properties.......... 24 2.1.3 Vector subspace notation................ 25 2.1.4 Permutation notation.................. 25 2.1.5 Probability: application to linear cryptanalysis . 26 2.2 Components of SPN Cipher .................. 26 2.2.1 Substitution layer.................... 27 iii iv CONTENTS 2.2.2 Permutation layer.................... 31 2.3 Cryptanalysis Techniques.................... 34 2.3.1 Differential cryptanalysis................ 34 2.3.2 Linear cryptanalysis .................. 36 2.3.3 Other cryptanalysis techniques ............ 37 Cryptanalysis of Symmetric-key Cryptography 41 3 Practical Differential Attack on JAMBU 43 3.1 The JAMBU Authenticated Encryption Scheme . 44 3.1.1 Description of JAMBU . 44 3.1.2 Security claims ..................... 45 3.2 Attack on JAMBU in Nonce-Misuse Scenario......... 46 3.2.1 Attack overview..................... 47 3.2.2 Distinguishing attack.................. 47 3.2.3 Extension to a plaintext-recovery attack . 51 3.2.4 Discussion on trivial attacks.............. 52 3.3 Attack on JAMBU in Nonce-Respecting Scenario . 53 3.3.1 Distinguishing attack.................. 54 3.3.2 Extension to a plaintext-recovery attack . 55 3.3.3 Discussion on trivial attacks.............. 56 3.4 Implementation of the Attack................. 56 3.4.1 Results of the attack.................. 56 3.4.2 Running time of the attack............... 58 3.5 Conclusion............................ 58 4 Invariant Subspace Attack on Midori64 59 4.1 Description of Midori ..................... 60 4.2 Invariant Subspace Attack on Midori64 . 62 4.2.1 Distinguisher with invariant subspace attack . 63 4.2.2 Key-recovery with invariant subspace attack . 65 4.3 Extended Analysis: Weaker Constant............. 66 4.4 Concluding Remarks...................... 68 Diffusion and Substitution Layers 69 5 Lightweight MDS Diffusion Matrices 71 5.1 Introduction........................... 72 5.1.1 Motivation........................ 72 5.1.2 Matrix types ...................... 72 5.2 Matrix Properties........................ 74 5.2.1 Properties of Hadamard matrices........... 74 5.2.2 Properties of cyclic matrices.............. 75 5.3 Compact Equivalence Classes of Matrices........... 79 CONTENTS v 5.3.1 CEC of Hadamard matrices.............. 80 5.3.2 CEC of cyclic matrices................. 82 5.4 Search and Results....................... 84 5.4.1 Search methodology .................. 84 5.4.2 Survey of lightweight (I)MDS matrices . 86 5.5 Summary ............................ 90 6 Security of S-boxes 93 6.1 Preliminaries .......................... 93 6.2 DDT and Affine Subspace of an S-box ............ 94 6.2.1 Deriving the DDT from low dimension affine subspace 95 6.2.2 Deriving affine subspace from the DDT . 95 6.2.3 Recovering all affine subspace transitions from the DDT 96 6.2.4 Remarks on affine subspace with higher dimension . 97 6.3 Case Study and Search for Strong S-boxes.......... 99 6.3.1 Classification for case analysis............. 99 6.3.2 Searching for strong involutory S-boxes . 101 6.3.3 Searching for strong non-involutory S-boxes . 103 6.4 Summary ............................ 105 Encryption Algorithm Design 107 7 Beyond Ultra-Lightweight Block Ciphers 109 7.1 On Lightweight Block Ciphers................. 109 7.1.1 Design choices of lightweight block ciphers . 109 7.1.2 Challenges in lightweight primitive designs . 110 7.2 Designing BULB Ciphers.................... 113 7.2.1 Going beyond ultra-lightweight block ciphers . 113 7.2.2 Design strategies .................... 114 7.2.3 Design approaches ................... 115 7.3 New Framework for Block Ciphers . 115 7.3.1 Classification of block ciphers . 115 7.3.2 Ideal rate of influence of block ciphers . 116 8 The SKINNY Family of Block Ciphers 119 8.1 Specifications of SKINNY . 120 8.2 Rationale of SKINNY . 127 8.2.1 The designing of SKINNY . 127 8.2.2 General design and components rationale . 128 8.2.3 Comparing differential bounds . 132 8.3 Security Analysis........................ 134 8.3.1 Differential and linear cryptanalysis . 135 8.3.2 Impossible differential cryptanalysis . 136 8.3.3 Invariant subspace attacks . 138 8.3.4 Algebraic attacks.................... 140 vi CONTENTS 8.3.5 Third-party security analysis of SKINNY . 140 8.4 Performance and Comparison . 141 8.4.1 Hardware implementations . 141 8.4.2 Software implementations . 143 8.5 Conclusion............................ 144 9 GIFT: A Small Present 145 9.1 Specifications .........................