Methods and Tools for Analysis of Symmetric Cryptographic Primitives

Similar documents
Extended Criterion for Absence of Fixed Points

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

The Advanced Encryption Standard

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

State Space Cryptanalysis of The MICKEY Cipher

The Rijndael Block Cipher

AURORA: A Cryptographic Hash Algorithm Family

Improved S-Box Construction from Binomial Power Functions

AES side channel attacks protection using random isomorphisms

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Public-key Cryptography: Theory and Practice

Analysis of cryptographic hash functions

Symmetric Crypto Systems

Table Of Contents. ! 1. Introduction to AES

A Very Efficient Pseudo-Random Number Generator Based On Chaotic Maps and S-Box Tables M. Hamdi, R. Rhouma, S. Belghith

A Five-Round Algebraic Property of the Advanced Encryption Standard

Symmetric Crypto Systems

The Hash Function JH 1

Applications of Finite Sets Jeremy Knight Final Oral Exam Texas A&M University March 29 th 2012

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Functions on Finite Fields, Boolean Functions, and S-Boxes

MASKED INVERSION IN GF(2 N ) USING MIXED FIELD REPRESENTATIONS AND ITS EFFICIENT IMPLEMENTATION FOR AES

Stream Ciphers: Cryptanalytic Techniques

Differential Fault Analysis on A.E.S.

(Solution to Odd-Numbered Problems) Number of rounds. rounds

Module 2 Advanced Symmetric Ciphers

Affine equivalence in the AES round function

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Invariant Subspace Attack Against Full Midori64

Lecture 12: Block ciphers

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Inside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY

The XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty

Algebraic Aspects of Symmetric-key Cryptography

Practical Free-Start Collision Attacks on full SHA-1

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

Cube Attacks on Stream Ciphers Based on Division Property

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Algebraic attack on stream ciphers Master s Thesis

Thesis Research Notes

Analysis of Some Quasigroup Transformations as Boolean Functions

Algebraic Attack Against Trivium

Nanyang Technological University, Singapore École normale supérieure de Rennes, France

Sequences, DFT and Resistance against Fast Algebraic Attacks

Some integral properties of Rijndael, Grøstl-512 and LANE-256

The Hash Function Fugue

Cryptographic D-morphic Analysis and Fast Implementations of Composited De Bruijn Sequences

Quadratic Equations from APN Power Functions

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5

Analysis of SHA-1 in Encryption Mode

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Subspace Trail Cryptanalysis and its Applications to AES

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

Linear Cryptanalysis of Reduced-Round PRESENT

Leftovers from Lecture 3

Collision Attack on Boole

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Algebraic properties of SHA-3 and notable cryptanalysis results

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

ECS 189A Final Cryptography Spring 2011

Multiplicative Complexity Reductions in Cryptography and Cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES

Numerical Solvers in Cryptanalysis

Differential properties of power functions

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Specification on a Block Cipher : Hierocrypt L1

Analysis of Trivium Using Compressed Right Hand Side Equations

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Cryptanalysis of SP Networks with Partial Non-Linear Layers

STRIBOB : Authenticated Encryption

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

On the computation of best second order approximations of Boolean Functions ΕΤΗΣΙΑ ΕΚΘΕΣΗ 2010

ACORN: A Lightweight Authenticated Cipher (v3)

A Weak Cipher that Generates the Symmetric Group

New Implementations of the WG Stream Cipher

Nonlinear Equivalence of Stream Ciphers

STREAM CIPHER. Chapter - 3

Exam Security January 19, :30 11:30

University of Bergen Faculty of Mathematical and Natural Sciences Department of Informatics The Selmer Center

A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES

Filtering Nonlinear Feedback Shift Registers using Welch-Gong Transformations for Securing RFID Applications

Security II: Cryptography exercises

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

On the Design of Trivium

Security of the AES with a Secret S-box

S-box (Substitution box) is a basic component of symmetric

Cryptographic Hash Functions

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

High Performance Computing techniques for attacking reduced version of AES using XL and XSL methods

FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher

Transcription:

Methods and Tools for Analysis of Symmetric Cryptographic Primitives Oleksandr Kazymyrov University of Bergen Norway 14th of October, 2014 Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 1 / 67

Main goal Improving the resistance of modern iterative cryptographic primitives to advanced attacks through the development of methods and tools of cryptanalysis. Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 2 / 67

National and international competitions Advanced Encryption Standard (1997-2001) New European Schemes for Signatures, Integrity and Encryption (2000-2003) estream (2004-2008) CRYPTREC (2000-2003-...) Ukrainian open competition to design a prototype of a block cipher for the new standard (2006-2009) SHA-3 (2007-2012) Closed competition to develop an advanced hash function and block cipher (2010-2012, 2013-...) Competition for Authenticated Encryption: Security, Applicability, and Robustness (2014-...) Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 3 / 67

An iterated block cipher A block cipher encrypts a block of plaintext or message M into a block of ciphertext C using a secret key K. Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 4 / 67

New design principles Branch number Key Expansion The Wide Trail Design Strategy Nonlinearity AES MDS property... δ-uniformity Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 5 / 67

Methods of cryptanalysis Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 6 / 67

Next generation of cryptoprimitives MACs Design principles of AES Block ciphers Stream ciphers Hash functions Authenticated encryption Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 7 / 67

Substitutions Figure : A Substitution Box Possible variants n > m n < m n = m #img(s-box) = 2 n Representations lookup tables vectorial Boolean functions A set of Boolean functions system of equations Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 8 / 67

Application of substitutions Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 9 / 67

Cryptographic properties of S-boxes Definition An S-box is a mapping of an n-bit input message to an m-bit output message. Minimum degree Balancedness Nonlinearity Correlation immunity δ-uniformity Cyclic structure Algebraic immunity Absolute indicator Absence of fixed points Propagation criterion Sum-of-squares indicator... Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 10 / 67

EA-equivalence Two functions F and G are called EA-equivalent if F (x) = A 1 G A 2 (x) + L 3 (x) for some affine permutations A 1 (x) = L 1 (x) + c 1, A 2 (x) = L 2 (x) + c 2 and a linear function L 3 (x). Functions F and G are restricted EA-equivalent if some functions of {L 1, L 2, L 3, c 1, c 2 } are in {0, x} linear equivalent: {L 3, c 1, c 2 } = {0, 0, 0} affine equivalent: L 3 = 0 Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 11 / 67

EA-equivalence For F, G : F n 2 F m 2 another form of representation of EA-equivalence is the matrix form F (x) = M 1 G(M 2 x V 2 ) M 3 x V 1 where elements of {M 1, M 2, M 3, V 1, V 2 } have dimensions {m m, n n, m n, m, n}. Matrices M i and vectors V j have a form k 0,0 k 0,n 1 k 1,0 k 1,n 1 M =....., V = k m 1,0 k m 1,n 1 v 0 v 1... v m 1. Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 12 / 67

Algebraic Attacks Using Binary Decision Diagrams Oleksandr Kazymyrov Håvard Raddum University of Bergen Simula Research Laboratories Norway BalkanCryptSec 14 October 16, 2014 Oleksandr Kazymyrov Algebraic Attacks Using Binary Decision Diagrams 13 / 67

Binary Decisions Diagrams (BDDs) f (x 1, x 2, x 3 ) = x 1 x 3 + x 1 + x 2 + x 3 + 1 Figure : Binary decision diagram for the f function Oleksandr Kazymyrov Algebraic Attacks Using Binary Decision Diagrams 14 / 67

S-box representation using BDD S-box = {5, C, 8, F, 9, 7, 2, B, 6, A, 0, D, E, 4, 3, 1} Oleksandr Kazymyrov Algebraic Attacks Using Binary Decision Diagrams 15 / 67

Description of 4-round AES Oleksandr Kazymyrov Algebraic Attacks Using Binary Decision Diagrams 16 / 67

Digital Encryption Standard (DES) 2007: a system of equations for 6-round DES solved with MiniSat in 68 seconds (Courtois & Bard) But... necessary to fix 20 bits of the key to correct values BDD method allows to solve the 6-round DES in the same time without guessing (8 chosen plaintexts) rounds # texts 1 2 3 4 5 6 7 8 4 2 22.715 2 14.506 2 10.606 2 10.257 2 9.805 2 10.070 2 10.203 2 10.381 5 2 22.110 2 16.455 2 13.526 2 13.995 2 14.212 2 14.410 2 14.704 6 2 24.929 2 22.779 2 20.571 Table : Complexities of breaking reduced DES Oleksandr Kazymyrov Algebraic Attacks Using Binary Decision Diagrams 17 / 67

MiniAES There is no previous algebraic attacks for 10-round version The best know attack is only for 2 rounds BDD approach allows to break full version of MiniAES using only 1 chosen plaintext Rounds 4 5 6 7 8 9 10 Complexity 2 22.404 2 23.051 2 23.440 2 24.154 2 24.217 2 24.862 2 24.961 Table : Complexities of breaking MiniAES Oleksandr Kazymyrov Algebraic Attacks Using Binary Decision Diagrams 18 / 67

Finding EA-equivalence # n Number of solutions Seconds used to solve BDD GB SAT 1 4 2 2 4.05 2 1.30 2 13.71 2 4 60 2 4.86-2 16.77 3 4 2 2 3.92 2 1.01 2 12.08 4 5 1 2 10.20 2 11.43 > 2 18 5 5 155 2 10.48 - > 2 18 not finished after 78 hours Oleksandr Kazymyrov Algebraic Attacks Using Binary Decision Diagrams 19 / 67

Summary New approaches to algebraic attacks development The BDD approach allows to reduce complexity of algebraic attack on DES by 2 20 Firstly was presented practical algebraic attack on 10-round MiniAES In some cases the BDD method is more universal and shows the best results compared to known methods Oleksandr Kazymyrov Algebraic Attacks Using Binary Decision Diagrams 20 / 67

A Sage Library for Analysis of Nonlinear Binary Mappings Anna Maria Eilertsen Oleksandr Kazymyrov Valentyna Kazymyrova Maksim Storetvedt Selmer Center, Department of Informatics, University of Bergen, Norway CECC 14 May 21, 2014 Oleksandr Kazymyrov A Sage Library for Analysis of Nonlinear Binary Mappings 21 / 67

List of properties Definition An S-box is a mapping of an n-bit input message to an m-bit output message. Minimum degree Balancedness Nonlinearity Correlation immunity δ-uniformity Cyclic structure Algebraic immunity Absolute indicator Absence of fixed points Propagation criterion Sum-of-squares indicator... Oleksandr Kazymyrov A Sage Library for Analysis of Nonlinear Binary Mappings 22 / 67

Design principles Orientation on arbitrary n and m Code optimization for performance Implementation of widely used cryptographic indicators Oleksandr Kazymyrov A Sage Library for Analysis of Nonlinear Binary Mappings 23 / 67

Generation of substitutions Gold Kasami Welch Niho Inverse Dobbertin Dicson APN for n = 6 Optimal permutation polynomials for n = 4 Polynomial Unification of the functions generate sbox calls different methods based on parameters method and T which define generation method and equivalence respectively.... Oleksandr Kazymyrov A Sage Library for Analysis of Nonlinear Binary Mappings 24 / 67

Additional functionality Extra functions Resilience (balancedness and correlation immunity) Maximum value of linear approximation table APN property check (optimized) Convert linear functions to matrices and vice versa Apply EA- and CCZ-equivalence Generation of substitutions Based on user-defined polynomial (trace supported) Random substitution/permutation With predefined properties Input/output Set and get S-boxes as lookup tables Get univariate representation/system of equations Convert polynomial to/from internal representation Oleksandr Kazymyrov A Sage Library for Analysis of Nonlinear Binary Mappings 25 / 67

Performance Time in seconds 25 20 15 10 5 MDT MLT Minumum degree Algebraic immunity 0 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Dimension of substitutions Figure : The relationship between dimension of random substitutions and time of calculation Oleksandr Kazymyrov A Sage Library for Analysis of Nonlinear Binary Mappings 26 / 67

Summary A high performance library to analyze and generate arbitrary binary nonlinear mappings Lots of cryptographic indicators and generation functions are included Functionality can be expanded quite easily Under development Hard to run for the first time Works only in consoles Source code: https://github.com/okazymyrov/sbox Oleksandr Kazymyrov A Sage Library for Analysis of Nonlinear Binary Mappings 27 / 67

A Method For Generation Of High-Nonlinear S-Boxes Based On Gradient Descent Oleksandr Kazymyrov Valentyna Kazymyrova Roman Oliynykov Selmer Center, Department of Informatics, University of Bergen, Norway. Department of Information Technologies Security, Kharkov National University of Radioelectronics, Ukraine CTCrypt 13 June 24, 2013 Oleksandr Kazymyrov A Method For Generation Of High-Nonlinear S-Boxes Based On Gradient Descent 28 / 67

Optimal substitutions Definition Substitutions satisfying mandatory criteria essential for a particular cryptographyc algorithm are called optimal. An optimal permutation for a block cipher has maximum value of minimum degree maximum algebraic immunity minimum δ-uniformity maximum nonlinearity without fixed points (cycles of length 1) Oleksandr Kazymyrov A Method For Generation Of High-Nonlinear S-Boxes Based On Gradient Descent 29 / 67

Example of criteria An optimal permutation without fixed points for n = m = 8 must have minimum degree 7 algebraic immunity 3 (441 equations) δ 8 NL 104 Oleksandr Kazymyrov A Method For Generation Of High-Nonlinear S-Boxes Based On Gradient Descent 30 / 67

Proposed method Definition F is a highly nonlinear vectorial Boolean function with low δ-uniformity. Example: F = x 1 and NP = 26 for n = m = 8. Algorithm 1 Generate a substitution S based on F. 2 Swap NP values of S randomly and set it to S t. 3 Test S t for all criteria depending on with the least complexity. If the S-box satisfies all of them except the cyclic properties then go to 4. Otherwise repeat step 2. 4 Return S t. Oleksandr Kazymyrov A Method For Generation Of High-Nonlinear S-Boxes Based On Gradient Descent 31 / 67

Performance of practical methods Minutes for 1 S-box, log2 15 10 5 0 1 min Proposed 5 1 s Random Tesař 10 88 90 92 94 96 98 100 102 104 Nonlinearity Oleksandr Kazymyrov A Method For Generation Of High-Nonlinear S-Boxes Based On Gradient Descent 32 / 67

Comparison with known substitutions Properties AES GOST R STB Kalyna Proposed 34.11-2012 34.101.31-2011 S0 S-box δ-uniformity 4 8 8 8 8 Nonlinearity 112 100 102 96 104 Absolute Indicator 32 96 80 88 80 SSI 133120 258688 232960 244480 194944 Minimum Degree 7 7 6 7 7 Algebraic Immunity 2(39) 3(441) 3(441) 3(441) 3(441) Table : Substitutions comparison Oleksandr Kazymyrov A Method For Generation Of High-Nonlinear S-Boxes Based On Gradient Descent 33 / 67

Summary The analysis shows that both theoretical and random methods fail in case of optimal substitutions. The proposed method has the highest performance among the known methods available in public literature. Application of the proposed method allows to generate optimal permutations for perspective symmetric cryptoprimitives providing a high level of resistance to differential, linear and algebraic cryptanalysis. Oleksandr Kazymyrov A Method For Generation Of High-Nonlinear S-Boxes Based On Gradient Descent 34 / 67

Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 Oleksandr Kazymyrov Valentyna Kazymyrova Selmer Center, Department of Informatics, University of Bergen, Norway CTCrypt 13 June 25, 2013 Oleksandr Kazymyrov Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 35 / 67

Hash function Stribog Stage 1 Stage 2 Stage 3 Σ m 1 m 2 m 3... m t m IV g g g h h... g h g h g h g h N... 0 0 512 512 512 512 M Σ = N = 0 512 { 0, Stribog-512 IV = (00000001) 64, Stribog-256 t = M 512 m = 0 512 M 1 M { h, Stribog-512 H = MSB 256 (h), Stribog-256 Oleksandr Kazymyrov Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 36 / 67

Construction of the compression function g h i 1 N m i F h i 1 N g E S P L h i Oleksandr Kazymyrov Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 37 / 67

Motivation Motivation More understandable form Easier to find properties Modified structure of Rijndael Individual (i.e. MDS) Complex (diff. probability) Oleksandr Kazymyrov Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 38 / 67

State representation An alternative representation Reverse input bits AES-like transformations (the state as in Grøstl) Reverse output bits B 0, B 1,..., B 63 B 0, B 1,..., B 63 ReverseBits b 0, b 1,..., b 511 b 511, b 510,..., b 0 Oleksandr Kazymyrov Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 39 / 67

Transposition and SubBytes operations Transposition is invariant operation. Substitution has the form F (x) = D G D(x) for linearized polynomial D : F 2 n F 2 n. 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 3F FB D7 E0 9F E5 A8 04 97 07 AD 87 A0 B5 4C 9A 1 DF EB 4F 0C 81 58 CF D3 E8 3B FD B1 60 31 B6 8B 2 F3 7C 57 61 47 78 08 B4 C9 5E 10 32 C7 E4 FF 67 3 C4 3E BF 11 D1 26 B9 7D 28 72 39 53 FE 96 C3 9C 4 BB 24 34 CD A6 06 69 E6 0F 37 70 C1 40 62 98 2E 5 5F 6B 16 D6 3C 1C 1E A4 8F 14 C8 55 B7 A5 63 F5 6 8C C2 12 B8 F7 46 59 90 99 0D 6E 1F F1 AA 51 2D 7 20 9D 73 E7 71 64 4D 36 FA 50 BA A1 CB A9 B0 C6 8 77 AF 2C 1A 18 E9 85 8E EE F0 0E D8 21 A2 AE 65 9 23 9E 54 EC 38 1D 89 D9 6C 17 4E CA D0 C5 2A 66 A 76 15 13 35 3A 00 DE D4 74 29 30 FC 56 7A AC 2F B A3 44 5C 9B 80 F9 79 A7 B3 CC ED 1B 2B AB BD D2 C 88 95 8A 02 5A CE 94 25 DB 7B 6A 92 75 49 BC 4B D 5B 6F 45 27 42 41 F6 0B DD 0A E2 09 19 BE 01 43 E 68 93 D5 EF 84 22 E3 DA 5D 3D 48 7F 05 F4 7E 03 F B2 C0 33 91 F2 82 8D 4A 83 52 E1 86 F8 DC EA 6D Table : The Substitution F for AES-like Description Oleksandr Kazymyrov Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 40 / 67

Representation of MixColumns Let L : F 2 n F 2 n be a linear function of the form Proposition (Paper VII) n 1 L(x) = δ i x 2i, δ i F 2 n. i=0 Any linear function L : F 2 n F 2 m can be converted to a matrix with the complexity O(n). L(x) = δx, δ i = 0, for 1 i n 1. Oleksandr Kazymyrov Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 41 / 67

Representation of MixColumns The main steps of proposed algorithm for obtaining MDS matrix over F 2 8 from 64 64 matrix over F 2 for every irreducible polynomial (30) convert each of 8 8 submatrices to the element of the filed check MDS property of the resulting matrix Additional transformation It is necessary to transpose matrix of Stribog before applying the algorithm. Oleksandr Kazymyrov Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 42 / 67

MixColumns 71 05 09 B9 04 88 5B B2 61 a 0 aa2 8 a 16 27a 24 0E a 32 a 40 a 48 48 a 56 E4 a 1 a36 9 a 17 5Fa 25 65 a 33 a 41 a 49 a 57 BA a 2 a2c 10 a 18 04a 26 A5 a 34 a 42 a 50 a 58 a 3 a a 19 a 27 a 35 a 43 51 a 0F 11 2A 76 a 59 51 a 4 a 12 a 20 a 28 a 36 a 44 52 a 60 39 a 5 a5e 13 a 15 21 a 24 a 52 29 a 37 a 45 53 a 61 17 a 6 a1c 14 a 22 D0 a 30 02 a 38 a 46 a 53 54 a 62 55 a 7 aa0 15 a 23 4Ca 31 9A a 39 a 47 a 54 55 a 63 a 55 5F CB AD 0F E5 01 54 BA D4 81 1C FA 05 71 5E 66 2D F1 E7 28 0E 02 F6 8A 15 9D 39 71 b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 b 16 b 24 b 32 b 40 b 48 48 b 56 b 9 b 17 b 25 b 33 b 41 b 49 b 57 b 10 b 18 b 26 b 34 b 42 b 50 b 58 b 11 b 19 b 27 b 35 b 43 b 51 b 59 51 b 12 b 20 b 28 b 36 b 44 52 b 60 b b 13 b 21 b 29 b 37 b 45 52 53 b 61 b 14 b 22 b 30 b 38 b 46 b 53 54 b 62 b 15 b 23 b 31 b 39 b 47 b 54 55 b 63 b 55 Multiplying the vector by the constant 8 8 matrix G over F 2 8 with the primitive polynomial f (x) = x 8 + x 6 + x 5 + x 4 + 1 B = G A Oleksandr Kazymyrov Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 43 / 67

Summary GOST R 34.11-2012 is based on GOST 34.11-94 as well as on Whirlpool/Grøstl/AES. Proposed method to reconstruct initial representation has many application fields. Nonlinear dependence of the performance and the message length. More details on https://github.com/okazymyrov Oleksandr Kazymyrov Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 44 / 67

Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov Valentyna Kazymyrova Selmer Center, Department of Informatics, University of Bergen, Norway CTCrypt 13 June 25, 2013 Oleksandr Kazymyrov Extended Criterion for Absence of Fixed Points 45 / 67

Properties of substitutions Definition Substitution boxes (S-boxes) map an n-bit input message to an m-bit output message. Minimum of Algebraic Degree Balancedness Nonlinearity Correlation Immunity δ-uniformity Cycle Structure Algebraic Immunity Absolute Indicator Absence of Fixed Points Propagation Criterion Sum-of-squares indicator... Oleksandr Kazymyrov Extended Criterion for Absence of Fixed Points 46 / 67

Definitions and notations Definition A substitution must not have fixed point, i.e. F (a) a, a F n 2. Definition Two ciphers E i and E j are isomorphic to each other if there exist invertible maps φ : x i x j, ψ : y i y j and χ : k i k j such that y i = E i (x i, k i ) and y j = E j (x j, k j ) are equal for all x i, k i, x j and k j. Oleksandr Kazymyrov Extended Criterion for Absence of Fixed Points 47 / 67

Basic functions of AES The round function consists of four functions AddroundKey (σ k ) SubBytes (γ) ShiftRows (π) MixColumns (θ) E K (M) = σ kr+1 π γ r (σ ki θ π γ) σ k1 (M). Both MixColumns and ShiftRows are linear transformations with respect to XOR i=2 θ(x + y) = θ(y) + θ(y); π(x + y) = π(y) + π(y). Oleksandr Kazymyrov Extended Criterion for Absence of Fixed Points 48 / 67

Isomorphic algorithm to AES Figure : Encryption Algorithm Oleksandr Kazymyrov Extended Criterion for Absence of Fixed Points 49 / 67

Isomorphic algorithm to AES Figure : Encryption Algorithm Oleksandr Kazymyrov Extended Criterion for Absence of Fixed Points 50 / 67

Comments on the isomorphic cipher Last π function does not increase security. Permutation has fixed point (x = 0) F (x) = L 1 (x 1 ) = M 1 x 1 Oleksandr Kazymyrov Extended Criterion for Absence of Fixed Points 51 / 67

Summary Isomorphic ciphers allow to Show redundancy of the last ShiftRow operation of the AES. Prove/disprove necessity of some characteristics of substitutions. Introduce new criterion for several substitutions. Show advantages of addition modulo 2 n in comparison with XOR operation. Proposition At least absence of fixed points criterion should be reviewed with other components of ciphers. Oleksandr Kazymyrov Extended Criterion for Absence of Fixed Points 52 / 67

State space cryptanalysis of the MICKEY cipher Tor Helleseth Cees J.A. Jansen Oleksandr Kazymyrov Alexander Kholosha Selmer Center, Department of Informatics, University of Bergen, Norway ITA 13 February 11, 2013 Oleksandr Kazymyrov State space cryptanalysis of the MICKEY cipher 53 / 67

A general attack scenario on stream ciphers Recover states of registers (Berlekamp-Massey algorithm, algebraic attack, Rønjom-Helleseth attack) Find the key based on the known state allows to estimate the number of possible states Note In some stream ciphers the first step is sufficient to find the key Oleksandr Kazymyrov State space cryptanalysis of the MICKEY cipher 54 / 67

Tree of backward states level n............... level 2......... level 1 level 0 Branches... Initial state Oleksandr Kazymyrov State space cryptanalysis of the MICKEY cipher 55 / 67

Degree probabilities Degree Key/IV load Preclock mode KG 80 v2 128 v2 80 v2 128 v2 80 v2 128 v2 0 0.2773 0.2186 0.3052 0.29 0.3041 0.3038 1 0.00001 0.1047 0.4345 0.4534 0.4323 0.4154 2 0.4331 0.3753 0.2523 0.2256 0.2558 0.2698 3 0.00002 0.1029-0.0289 - - 4 0.28 0.1783 0.008 0.0021 0.0079 0.0111 6 0.00007 0.0203 - - - - 8 0.0095 - - - - - Oleksandr Kazymyrov State space cryptanalysis of the MICKEY cipher 56 / 67

Determination of key bits based on a backward states tree Bit probability Level MICKEY-80 v2 MICKEY-128 v2 1 0 1 0 1 0.5 0.5 1 0 2 0.5 0.5 0.5 0.5 3 0.5 0.5 0 1 4 0.5 0.5 0.5 0.5 5 0.4857 0.5143 0.5 0.5 O(2 126 + 2 t ) t 126 O(2 126 ) < O(2 128 ) Oleksandr Kazymyrov State space cryptanalysis of the MICKEY cipher 57 / 67

Meet-in-the-middle attack on MICKEY O(2 k 2 +2 ) = O d (2 k 2 ) + Oi (2 k 2 ) + Of (2 k 2 ) Oleksandr Kazymyrov State space cryptanalysis of the MICKEY cipher 58 / 67

Identical key-streams for different key/iv pairs Let zi h be i-th bit of a key-stream for h-th pair of (K h, IV h ). Suppose also that K 1 = k 0, k 1,..., k n 1 Then it is possible to find such (K 1, IV 1 ) and (K 2, IV 2 ) for which the states of registers will differ by one clock and the key-streams have the property z 2 i = z 1 i+1 Oleksandr Kazymyrov State space cryptanalysis of the MICKEY cipher 59 / 67

An example of key/iv with shifted key-streams K 1 = {d3, ec, f 0, 84, 8a, 1d, b1, b7, 4a, dd} IV 1 = {58, e5, 77, 0a, 9c, a2, 34, c7, cd, 5e} (79bits) K 2 = {a7, d9, e1, 09, 14, 3b, 63, 6e, 95, ba} IV 2 = {58, e5, 77, 0a, 9c, a2, 34, c7, cd, 5f } (80bits) Z 1 = {0, B7, 61, 27, 92, C5, 85, 91, 51, 18, 2A, D6, 7C, 8C, C8, C7, 04} Z 2 = { B7, 61, 27, 92, C5, 85, 91, 51, 18, 2A, D6, 7C, 8C, C8, C7, 04, 1} Oleksandr Kazymyrov State space cryptanalysis of the MICKEY cipher 60 / 67

Summary Proposed method allows to estimate degrees probability at the design stage of MICKEY-like ciphers. Stepping backwards in the state space of MICKEY is possible and feasible in all modes including key/iv load mode. A minor change in the feedback function of the R-register involve dramatically changes in cycles. Thus, it is possible to justify the choice of the encryption algorithm parameters. Several practical attack scenarios based on known states were proposed. Oleksandr Kazymyrov State space cryptanalysis of the MICKEY cipher 61 / 67

Verification of EA-equivalence for Vectorial Boolean Functions Lilya Budaghyan Oleksandr Kazymyrov Selmer Center, Department of Informatics, University of Bergen, Norway WAIFI 12 July 17, 2012 Oleksandr Kazymyrov Verification of EA-equivalence for Vectorial Boolean Functions 62 / 67

Open problems 1. Verification of EA-equivalence for arbitrary functions. 2. For given functions F and G, find affine permutations A 1, A 2 and a linear function L 3 such that F (x) = A 1 G A 2 (x) + L 3 (x) Complexity ( ) of exhaustive search for F, G : F n 2 F n 2 equals O 2 3n2 +2n. For n = 6 the complexity is already 2 120. Oleksandr Kazymyrov Verification of EA-equivalence for Vectorial Boolean Functions 63 / 67

Summary Restricted EA-equivalence Complexity G(x) F (x) = M 1 G(M 2 x) O (n 2 2 n ) P F (x) = M 1 G(M 2 x V 2 ) V 1 O (n 2 2n ) P F (x) = M 1 G(x V 2 ) V 1 O (2 2n+1 ) F (x) = M 1 G(x V 2 ) V 1 O (n 2 3n ) A F (x) = G(M 2 x V 2 ) V 1 O (n 2 n ) P F (x) = G(x V 2 ) M 3 x V 1 O (n 2 n ) A F (x) = M 1 G(x V 2 ) M 3 x V 1 O (2 2n+1 ) F (x) = M 1 G(x V 2 ) M 3 x V 1 O (n 2 3n ) A - G is under condition {2 i 0 i m 1} img(g ) where G (x) = G(x) + G(0). - G is under condition {2 i 0 i m 1} img(g ) where G (x) = G(x) L G (x) G(0). Oleksandr Kazymyrov Verification of EA-equivalence for Vectorial Boolean Functions 64 / 67

Conclusions Cryptanalytic methods applied to MICKEY, DES and MiniAES can be used to improve cryptographic properties of prospective ciphers In the post-aes era many cryptoprimitives providing high-level security use random substitutions The new heuristic method to generate S-boxes was proposed Surpass analogues used in Russian and Belorussian standards Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 65 / 67

Conclusions Several methods to check the REA-equivalence of two binary nonlinear mappings have been proposed Isomorphic representations open new directions in cryptanalysis Nonlinear mappings Overall design principles The main practical result is the designed software for effective generation and calculation of indicators of arbitrary nonlinear binary mappings. Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 66 / 67

Methods and Tools for Analysis of Symmetric Cryptographic Primitives Oleksandr Kazymyrov University of Bergen Norway 14th of October, 2014 Oleksandr Kazymyrov Methods and Tools for Analysis of Symmetric Cryptographic Primitives 67 / 67

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback