Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-Lightweight Symmetric Primitives THÈSE NO 5415 (2012) PRÉSENTÉE LE 27 AOÛT 2012 À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS LABORATOIRE DE SÉCURITÉ ET DE CRYPTOGRAPHIE PROGRAMME DOCTORAL EN INFORMATIQUE, COMMUNICATIONS ET INFORMATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Pouyan SEPEHRDAD acceptée sur proposition du jury: Prof. E. Telatar, président du jury Prof. S. Vaudenay, directeur de thèse Prof. A. Canteaut, rapporteur Prof. A. Lenstra, rapporteur Prof. W. Meier, rapporteur Suisse 2012 To my two angels of God, my mother and father whom without their help, devotion, affection, love and support not only this dissertation could not be accomplished, but I was not able to put my feet one step forward towards improvement. Abstract Symmetric cryptographic primitives such as block and stream ciphers are the building blocks in many cryptographic protocols. Having such blocks which provide provable security against various types of attacks is often hard. On the other hand, if possible, such designs are often too costly to be implemented and are usually ignored by practitioners. Moreover, in RFID protocols or sensor networks, we need lightweight and ultra-lightweight algorithms. Hence, cryptographers often search for a fair trade-off between security and usability depending on the application. Contrary to public key primitives, which are often based on some hard problems, security in symmetric key is often based on some heuristic assumptions. Often, the researchers in this area argue that the security is based on the confidence level the community has in their design. Consequently, everyday symmetric protocols appear in the literature and stay secure until someone breaks them. In this thesis, we evaluate the security of multiple symmetric primitives against statistical and algebraic attacks. This thesis is composed of two distinct parts: In the first part, we investigate the security of RC4 stream cipher against statistical attacks. We focus on its applications in WEP and WPA protocols. We revisit the previous attacks on RC4 and optimize them. In fact, we propose a framework on how to deal with a pool of biases for RC4 in an optimized manner. During this work, we found multiple new weaknesses in the corresponding applications. We show that the current best attack on WEP can still be improved. We compare our results with the state of the art implementation of the WEP attack on Aircrack-ng program and improve its success rate. Next, we propose a theoretical key recovery and distinguishing attacks on WPA, which cryptographically break the protocol. We perform an extreme amount of experiments to make sure that the proposed theory matches the experiments. Finally, we propose a concrete theoretical and empirical proof of all our claims. These are currently the best known attacks on WEP and WPA. In the second part, we shed some lights on the theory behind ElimLin, which is an algorithm for solving multivariate polynomial systems of equations. We attack PRESENT and LBlock block ciphers with ElimLin algorithm and compare their security using this algebraic technique. Then, we investigate the security of KATAN family of block ciphers and multi-purpose cryptographic primitive ARMADILLO against algebraic attacks. We break reduced-round versions of several members of KATAN family by proposing a novel pre-processing technique on the original algebraic representation of the cipher before feeding it to a SAT solver. Finally, we propose a devastating practical key recovery attack against the ARMADILLO1 protocol, which breaks it in polynomial time using a few challenge-response pairs. Keywords: Symmetric cryptography, light-weight cryptography, statistical attacks, RC4 crypt- V analysis, WEP and WPA, block and stream ciphers, algebraic cryptanalysis, systems of sparse polynomial equations of low degree, challenge-response protocols, ElimLin, SAT solving techniques VI R´esum´e Les primitives cryptographiques `acl´esym´etriquecomme les syst`emesde chiffrement par blocs et les syst`emesde chiffrement `aflot sont les composantes de base de nombreux protocoles cryp- tographiques. Il est souvent difficile d'avoir de telles composantes dont la s´ecurit´eest prouv´ee contre divers types d'attaques. Aussi, de telles conceptions sont souvent trop co^uteusespour ^etre impl´ement´eeset sont habituellement ignor´eesen pratique. De plus, dans des environnements sous contraintes comme les protocoles RFID ou les r´eseauxde capteurs, il est primordial d'utiliser des algorithmes bas-co^ut.Il est donc n´ecessairepour les cryptographes de rechercher un bon com- promis entre la s´ecurit´eet l'utilisabilit´e.Ce compromis d´epend de l'application. Contrairement aux primitives `acl´epublique qui sont souvent bas´eessur des probl`emessuppos´es^etredifficiles `a r´esoudre,la s´ecurit´edes syst`emes`acl´esym´etriqueest souvent bas´eesur des suppositions heuris- tiques. Les chercheurs dans ce domaine affirment souvent que la s´ecurit´eest bas´eesur le niveau de confiance qu'a la communaut´een leur construction. En cons´equence,de nouveaux protocoles `acl´e sym´etriqueapparaissent r´eguli`erement et restent s^ursjusqu’`ace que quelqu'un les cassent. Dans cette th`ese, nous ´evaluons la s´ecurit´ede plusieurs primitives `acl´esym´etriquecontre les attaques statistiques et alg´ebriques.Cette th`eseest compos´eede deux parties distinctes. Dans la premi`erepartie, nous ´etudionsla s´ecurit´econtre les attaques statistiques du syst`eme de chiffrement `aflot RC4. Nous nous int´eressonsen particulier `ases applications dans les pro- tocoles WEP et WPA. Nous revisitons les attaques d´evelopp´eespr´ec´edemment sur RC4 et nous les optimisons. En fait, nous proposons un cadre pour traiter une banque de biais pour RC4 de fa¸conoptimis´ee.Dans ce travail, nous avons trouv´ede nombreuses nouvelles vuln´erabilit´esdans les applications correspondantes. Nous montrons aussi que la meilleure attaque actuellement existante sur WEP peut encore ^etream´elior´ee.Nous comparons nos r´esultatsavec le logiciel Aircrack-ng, la meilleure impl´ementation actuelle attaquant WEP et nous am´elioronssa probabilit´ede succ`es. Ensuite, nous proposons des attaques par distingueurs ainsi qu'une attaque th´eoriquesur WPA qui r´ecup`erela cl´esecr`ete.Ces attaques cassent le protocole d'un point de vue cryptographique. Nous effectuons une ´enormequantit´ed'exp´eriencesafin d'^etres^ursque la th´eorieque nous proposons soit bien v´erifi´eeen pratique. Finalement, nous proposons des preuves th´eoriqueset empiriques de toutes nos affirmations. Nos attaques sont actuellement les meilleures attaques sur WEP et WPA. Dans la deuxi`emepartie, nous apportons quelques ´eclaircissements sur la th´eoriederri`ere Elim- Lin qui est un algorithme utilis´epour r´esoudredes syst`emesd'´equationspolynomiales multivari´ees. Nous ´etudions ensuite la s´ecurit´econtre les attaques alg´ebriquesde plusieurs syst`emesde chiffre- ments par blocs et d'une primitive cryptographique multi-usage. Cette liste comprend KATAN, PRESENT et LBlock pour les chiffrement par blocs et ARMADILLO1 pour la primitive cryptogra- phique multi-usage. Nous cassons des versions r´eduitesde plusieurs membres de la famille KATAN VII et nous proposons une nouvelle technique de pr´etraitement sur la repr´esentation alg´ebriquedu syst`emeavant de le donner `aun solveur SAT. Nous attaquons les syst`emesde chiffrement par blocs PRESENT et LBlock en utilisant l'algorithme ElimLin et nous comparons leur s´ecurit´een utilisant cette technique alg´ebrique.Finalement, nous proposons une attaque `ar´ecup´erationde cl´e d´evastatrice contre le protocole ARMADILLO1 qui le casse en temps polynomial en utilisant un faible nombre de paires challenge/r´eponse. Mots-cl´es: Cryptographie `acl´esym´etrique,cryptographie bas-co^ut,attaques statistiques, cryp- tanalyse de RC4, WEP et WPA, syst`emesde chiffrement par blocs, syst`emesde chiffrement `a flot, syst`emesd'´equationspolynomiales creuses de faible degr´e,protocoles de challenge/r´eponse, ElimLin, techniques r´esolvant SAT VIII Acknowledgment There are always some influential people in anyone's academic life. Since this dissertation is the last written document in my student life, I would like to thank all those who changed my life and attitude during these exciting and challenging years: I can not imagine how I can thank the best teachers of my life, my two angels of God, my parents, for all their support, help, sacrifices and love during my entire life; the only ones who were always there for me in both my happiness and hard time; the ones I love the most for ever and can not reciprocate even a small part of what they did for me. At any period in my academic life, it was my dream to have someone beside me who has the answer to all my questions. I never had such an opportunity before I met Prof. Serge Vaudenay. For me, Serge is the realization of the \Decryption Oracle" in cryptography. I have never met anyone brighter and smarter in my life. One of the hardest decisions in my academic life was to decide whether to pursue PhD studies in England or to join Serge's group at EPFL, Switzerland. Quoting one of my favorite statements from one of the most influential people in Computer Science, Steve Jobs: \you can not connect the dots looking forward; you can only connect them looking backwards". Looking backward, coming to LASEC was the best decision I have ever made in my academic life. I would like to warmly thank Serge for giving me the opportunity to join his group, his help and support, providing such a nice environment for research and always motivating me to deliver precise results. I would like to warmly thank Dr. Nicolas Courtois for his extreme kindness, help and support during the last 5 years. More importantly, he changed my attitude towards several points in life. I learned from him to follow my passion and to do research in areas which I find interesting, though other people believe what I am doing is of no interest.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages180 Page
-
File Size-