Showing papers on "Block cipher published in 2013"

Masking against Side-Channel Attacks: A Formal Security Proof

Abstract: Masking is a well-known countermeasure to protect block cipher implementations against side-channel attacks The principle is to randomly split every sensitive intermediate variable occurring in the computation into d + 1 shares, where d is called the masking order and plays the role of a security parameter Although widely used in practice, masking is often considered as an empirical solution and its effectiveness is rarely proved In this paper, we provide a formal security proof for masked implementations of block ciphers Specifically, we prove that the information gained by observing the leakage from one execution can be made negligible (in the masking order) To obtain this bound, we assume that every elementary calculation in the implementation leaks a noisy function of its input, where the amount of noise can be chosen by the designer (yet linearly bounded) We further assume the existence of a leak-free component that can refresh the masks of shared variables Our work can be viewed as an extension of the seminal work of Chari et alpublished at CRYPTO in 1999 on the soundness of combining masking with noise to thwart side-channel attacks

LEA: A 128-Bit Block Cipher for Fast Encryption on Common Processors

Abstract: We propose a new block cipher LEA, which has 128-bit block size and 128, 192, or 256-bit key size. It provides a high-speed software encryption on general-purpose processors. Our experiments show that LEA is faster than AES on Intel, AMD, ARM, and ColdFire platforms. LEA can be also implemented to have tiny code size. Its hardware implementation has a competitive throughput per area. It is secure against all the existing attacks on block ciphers.

Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting

Abstract: In this paper, we revisit meet-in-the-middle attacks on AES in the single-key model and improve on Dunkelman, Keller and Shamir attacks at Asiacrypt 2010. We present the best attack on 7 rounds of AES-128 where data/time/memory complexities are below 2100. Moreover, we are able to extend the number of rounds to reach attacks on 8 rounds for both AES-192 and AES-256. This gives the best attacks on those two versions with a data complexity of 2107 chosen-plaintexts, a memory complexity of 296 and a time complexity of 2172 for AES-192 and 2196 for AES-256. Finally, we also describe the best attack on 9 rounds of AES-256 with 2120 chosen plaintexts and time and memory complexities of 2203. All these attacks have been found by carefully studying the number of reachable multisets in Dunkelman et al. attacks.

Fault Attacks on AES with Faulty Ciphertexts Only

Abstract: Classical Fault Attacks often require the ability to encrypt twice the same plaintext, in order to get one or several pairs of correct and faulty cipher texts corresponding to the same message. This observation led some designers to think that a randomized mode of operation may be sufficient to protect block cipher encryption against this kind of threat. In this paper, we consider the case where the adversary neither chooses nor knows the input messages, and has only access to the faulty cipher texts. In this context, we are able to describe several attacks against AES-128 by using non uniform fault models. Our attacks target the last 4 rounds and allow to recover the correct key with practical time complexity, using a limited number of faulty cipher texts. This work highlights the need for dedicated fault attack countermeasures in secure embedded systems.

A projective general linear group based algorithm for the construction of substitution box for block ciphers

Abstract: The substitution boxes are used in block ciphers with the purpose to induce confusion in data The design of a substitution box determines the confusion ability of the cipher; therefore, many different types of boxes have been proposed by various authors in literature In this paper, we present a novel method to design a new substitution box and compare its characteristics with some prevailing boxes used in cryptography The algorithm proposed in this paper apply the action of projective linear group PGL(2, GF(28)) on Galois field GF(28) The new substitution box corresponds to a particular type of linear fractional transformation (35z + 15)/(9z + 5) In order to test the strength of the proposed substitution box, we apply non-linearity test, bit independence criterion, linear approximation probability method, differential approximation probability method, strict avalanche criterion, and majority logic criterion This new technique to synthesize a substitution box offers a powerful algebraic complexity while keeping the software/hardware complexity within manageable parameters

Block ciphers that are easier to mask: how far can we go?

Abstract: The design and analysis of lightweight block ciphers has been a very active research area over the last couple of years, with many innovative proposals trying to optimize different performance figures. However, since these block ciphers are dedicated to low-cost embedded devices, their implementation is also a typical target for side-channel adversaries. As preventing such attacks with countermeasures usually implies significant performance overheads, a natural open problem is to propose new algorithms for which physical security is considered as an optimization criteria, hence allowing better performances again. We tackle this problem by studying how much we can tweak standard block ciphers such as the AES Rijndael in order to allow efficient masking (that is one of the most frequently considered solutions to improve security against side-channel attacks). For this purpose, we first investigate alternative S-boxes and round structures. We show that both approaches can be used separately in order to limit the total number of non-linear operations in the block cipher, hence allowing more efficient masking. We then combine these ideas into a concrete instance of block cipher called Zorro. We further provide a detailed security analysis of this new cipher taking its design specificities into account, leading us to exploit innovative techniques borrowed from hash function cryptanalysis (that are sometimes of independent interest). Eventually, we conclude the paper by evaluating the efficiency of masked Zorro implementations in an 8-bit microcontroller, and exhibit their interesting performance figures.

An efficient method for the construction of block cipher with multi-chaotic systems

Abstract: In this article, we present a method to synthesize strong nonlinear components used in encryption algorithms. The proposed nonlinear component assists in transforming the intelligible message or plaintext into an enciphered format by the use of Lorenz and Rossler chaotic systems. A substitution box is generated that uses initial conditions, utilize multi-chaotic parameter values, and employ numerical simulations.

Security Evaluations beyond Computing Power

Abstract: Current key sizes for symmetric cryptography are usually required to be at least 80-bit long for short-term protection, and 128-bit long for long-term protection. However, current tools for security evaluations against side-channel attacks do not provide a precise estimation of the remaining key strength after some leakage has been observed, e.g. in terms of number of candidates to test. This leads to an uncomfortable situation, where the security of an implementation can be anywhere between enumerable values (i.e. 210 − 250 key candidates to test) and the full key size (i.e. 260 − 2128 key candidates to test). In this paper, we propose a solution to this issue, and describe a key rank estimation algorithm that provides tight bounds for the security level of leaking cryptographic devices. As a result and for the first time, we are able to analyze the full complexity of “standard” (i.e. divide-and-conquer) side-channel attacks, in terms of their tradeoff between time, data and memory complexity.

Stream Ciphers

Abstract: In cryptography, ciphers is the technical term for encryption and decryption algorithms. They are an important sub-family that features high speed and easy implementation and are an essential part of wireless internet and mobile phones. Unlike block ciphers, stream ciphers work on single bits or single words and need to maintain an internal state to change the cipher at each step. Typically stream ciphers can reach higher speeds than block ciphers but they can be more vulnerable to attack. Here, mathematics comes into play. Number theory, algebra and statistics are the key to a better understanding of stream ciphers and essential for an informed decision on their safety. Since the theory is less developed, stream ciphers are often skipped in books on cryptography. This book fills this gap. It covers the mathematics of stream ciphers and its history, and also discusses many modern examples and their robustness against attacks. Part I covers linear feedback shift registers, non-linear combinations of LFSRs, algebraic attacks and irregular clocked shift registers. Part II studies some special ciphers including the security of mobile phones, RC4 and related ciphers, the eStream project and the blum-blum-shub generator and related ciphers. Stream Ciphers requires basic knowledge of algebra and linear algebra, combinatorics and probability theory and programming. Appendices in Part III help the reader with the more complicated subjects and provides the mathematical background needed. It covers, for example, complexity, number theory, finite fields, statistics, combinatorics. Stream Ciphers concludes with exercises and solutions and is directed towards advanced undergraduate and graduate students in mathematics and computer science.

SPONGENT: The Design Space of Lightweight Cryptographic Hashing

Abstract: The design of secure yet efficiently implementable cryptographic algorithms is a fundamental problem of cryptography. Lately, lightweight cryptography--optimizing the algorithms to fit the most constrained environments--has received a great deal of attention, the recent research being mainly focused on building block ciphers. As opposed to that, the design of lightweight hash functions is still far from being well investigated with only few proposals in the public domain. In this paper, we aim to address this gap by exploring the design space of lightweight hash functions based on the sponge construction instantiated with present-type permutations. The resulting family of hash functions is called spongent. We propose 13 spongent variants--or different levels of collision and (second) preimage resistance as well as for various implementation constraints. For each of them, we provide several ASIC hardware implementations--ranging from the lowest area to the highest throughput. We make efforts to address the fairness of comparison with other designs in the field by providing an exhaustive hardware evaluation on various technologies, including an open core library. We also prove essential differential properties of spongent permutations, give a security analysis in terms of collision and preimage resistance, as well as study in detail dedicated linear distinguishers.

Parallelizable and Authenticated Online Ciphers.

Abstract: Online ciphers encrypt an arbitrary number of plaintext blocks and output ciphertext blocks which only depend on the preceding plaintext blocks. All online ciphers proposed so far are essentially serial, which significantly limits their performance on parallel architectures such as modern general-purpose CPUs or dedicated hardware. We propose the first parallelizable online cipher, COPE. It performs two calls to the underlying block cipher per plaintext block and is fully parallelizable in both encryption and decryption. COPE is proven secure against chosen-plaintext attacks assuming the underlying block cipher is a strong PRP. We then extend COPE to create COPA, the first parallelizable, online authenticated cipher with nonce-misuse resistance. COPA only requires two extra block cipher calls to provide integrity. The privacy and integrity of the scheme is proven secure assuming the underlying block cipher is a strong PRP. Our implementation with Intel AES-NI on a Sandy Bridge CPU architecture shows that both COPE and COPA are about 5 times faster than their closest competition: TC1, TC3, and McOE-G. This high factor of advantage emphasizes the paramount role of parallelizability on up-to-date computing platforms.

An efficient technique for the construction of substitution box with chaotic partial differential equation

Abstract: In this manuscript, we proposed a novel formation of the nonlinear component of block cipher. The projected method is chaos based. We are merging two different structures namely the Kuramoto–Sivashinsky equation as a chaotic system and use the Galois field (GF) as an algebraic structure. We design an innovative block cipher with the help of the planned chaotic scheme. We investigated some standard properties of our proposed nonlinear component with already existing standard results for block ciphers. The results of the analysis authenticate that the designed cryptosystem is reliable for secure communication.

Cryptanalysis of the SIMON Family of Block Ciphers.

Abstract: Recently, the U.S National Security Agency has published the specications of two families of lightweight block ciphers, SIMON and SPECK, on ePrint (2). The ciphers are developed with optimization towards both hardware and software in mind. While the spec- ication paper discusses design requirements and performance of the presented lightweight ciphers thoroughly, no security assessment is given. This paper is a move towards lling that cryptanalysis gap for the SIMON family of ciphers. We present a series of observations on the presented construction that, in some cases, yield attacks, while in other cases may provide basis of further analysis by the cryptographic community. Specically, we obtain attacks using classical- as well as truncated dierentials. In the former case, we show how the smallest version of SIMON, Simon32/64, exhibits a strong dierential eect.

ITUbee: A Software Oriented Lightweight Block Cipher

Abstract: In this paper, we propose a software oriented lightweight block cipher, ITUbee. The cipher is especially suitable for resource constrained devices including an 8-bit microcontroller such as sensor nodes in wireless sensor networks. For a sensor node one of the most important constraints is the low energy consumption because of the limited battery power. Also, the memory on sensor nodes are restricted. We have simulated the performance of ITUbee in the AVR ATtiny45 microcontroller using the integrated development platform Atmel Studio 6. We have evaluated the memory usage and clock cycles needed for an encryption. The number of clock cycles gives a metric for energy consumption. The simulation results show that ITUbee is a competitive block cipher on 8-bit software platforms in terms of energy consumption. Also, less memory requirement of the cipher is remarkable. In addition, we have shown that the attacks which are effective on software oriented lightweight block ciphers can not reduce the 80-bit security level of ITUbee.

Zero-Correlation Linear Cryptanalysis with FFT and Improved Attacks on ISO Standards Camellia and CLEFIA

Abstract: Zero-correlation linear cryptanalysis is based on the linear approximations with correlation exactly zero, which essentially generalizes the integral property, and has already been applied to several block ciphers -- among others, yielding best known attacks to date on round-reduced TEA and CAST-256 as published in FSE'12 and ASIACRYPT'12, respectively. In this paper, we use the FFT Fast Fourier Transform technique to speed up the zero-correlation cryptanalysis. First, this allows us to improve upon the state-of-the-art cryptanalysis for the ISO/IEC standard and CRYPTREC-portfolio cipher Camellia. Namely, we present zero-correlation attacks on 11-round Camellia-128 and 12-round Camellia-192 with $$FL/FL^{-1}$$ and whitening key starting from the first round, which is an improvement in the number of attacked rounds in both cases. Moreover, we provide multidimensional zero-correlation cryptanalysis of 14-round CLEFIA-192 and 15-round CLEFIA-256 that are attacks on the highest numbers of rounds in the classical single-key setting, respectively, with improvements in memory complexity.

Dietary Recommendations for Lightweight Block Ciphers: Power, Energy and Area Analysis of Recently Developed Architectures

Abstract: In this paper we perform a comprehensive area, power, and energy analysis of some of the most recently-developed lightweight block ciphers and we compare them to the standard AES algorithm. We do this for several different architectures of the considered block ciphers. Our evaluation method consists of estimating the pre-layout power consumption and the derived energy using Cadence Encounter RTL Compiler and ModelSIM simulations. We show that the area is not always correlated to the power and energy consumption, which is of importance for mobile battery-fed devices. As a result, this paper can be used to make a choice of architecture when the algorithm has already been fixed; or it can help deciding which algorithm to choose based on energy and key/block length requirements.

Leakage-Resilient Symmetric Cryptography under Empirically Verifiable Assumptions

Abstract: Leakage-resilient cryptography aims at formally proving the security of cryptographic implementations against large classes of side-channel adversaries. One important challenge for such an approach to be relevant is to adequately connect the formal models used in the proofs with the practice of side-channel attacks. It raises the fundamental problem of finding reasonable restrictions of the leakage functions that can be empirically verified by evaluation laboratories. In this paper, we first argue that the previous “bounded leakage” requirements used in leakage-resilient cryptography are hard to fulfill by hardware engineers. We then introduce a new, more realistic and empirically verifiable assumption of simulatable leakage, under which security proofs in the standard model can be obtained. We finally illustrate our claims by analyzing the physical security of an efficient pseudorandom generator (for which security could only be proven under a random oracle based assumption so far). These positive results come at the cost of (algorithm-level) specialization, as our new assumption is specifically defined for block ciphers. Nevertheless, since block ciphers are the main building block of many leakage-resilient cryptographic primitives, our results also open the way towards more realistic constructions and proofs for other pseudorandom objects.

Generic Key Recovery Attack on Feistel Scheme

Abstract: We propose new generic key recovery attacks on Feistel-type block ciphers. The proposed attack is based on the all subkeys recovery approach presented in SAC 2012, which determines all subkeys instead of the master key. This enables us to construct a key recovery attack without taking into account a key scheduling function. With our advanced techniques, we apply several key recovery attacks to Feistel-type block ciphers. For instance, we show 8-, 9- and 11-round key recovery attacks on n-bit Feistel ciphers with 2n-bit key employing random keyed F-functions, random F-functions, and SP-type F-functions, respectively. Moreover, thanks to the meet-in-the-middle approach, our attack leads to low-data complexity. To demonstrate the usefulness of our approach, we show a key recovery attack on the 8-round reduced CAST-128, which is the best attack with respect to the number of attacked rounds. Since our approach derives the lower bounds on the numbers of rounds to be secure under the single secret key setting, it can be considered that we unveil the limitation of designing an efficient block cipher by a Feistel scheme such as a low-latency cipher.

Exhausting Demirci-Selçuk Meet-in-the-Middle Attacks Against Reduced-Round AES

Abstract: In this paper, we revisit Demirci and Selcuk meet-in-the-middle attacks on AES We find a way to automatically model SPN block cipher and meet-in-the-middle attacks that allows to perform exhaustive search of this kind of attacks This search uses the tool developed by Bouillaguet, Derbez and Fouque at CRYPTO 2011 as a subroutine to solve specific systems We also take into account ideas introduced by Dunkelman, Keller and Shamir at ASIACRYPT 2010 which can be seen as a new tradeoff of the classical time/memory tradeoff used by Demirci and Selcuk As a result, we automatically recover all the recent improved attacks of Derbez, Fouque and Jean on AES and we show new improved attacks against 8-rounds of AES-192 and AES-256

Security analysis of blowfish algorithm

Abstract: Blowfish algorithm (BA) is a symmetric block cipher with a 64-bit block size and variable key lengths from 32 bits up to a maximum of 448 bits. In order to measure the degree of security of blowfish algorithm, some cryptographic tests must be applied such as randomness test, avalanche criteria and correlation coefficient. In this paper we attempt to analyze the security of blowfish using avalanche criteria and correlation coefficient. We analyzed the randomness of the Blowfish output in an earlier paper titled “Randomness Analysis on Blowfish Block Cipher using ECB and CBC Modes”. The results obtained from the analysis of correlation coefficient showed that Blowfish algorithm gives a good nonlinear relation between plaintext and ciphertext while the results of avalanche effect indicate that the algorithm presents good avalanche effect from the second round. C++ is used in the implementation of the blowfish algorithm; MATLAB programming (Mathworks, R., 2012a) is used in the implementation of avalanche effect and correlation coefficient.

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Abstract: While the symmetric-key cryptography community has now a good experience on how to build a secure and efficient fixed permutation, it remains an open problem how to design a key-schedule for block ciphers, as shown by the numerous candidates broken in the related-key model or in a hash function setting. Provable security against differential and linear cryptanalysis in the related-key scenario is an important step towards a better understanding of its construction.

Extended Generalized Feistel Networks Using Matrix Representation

Abstract: While Generalized Feistel Networks have been widely studied in the literature as a building block of a block cipher, we propose in this paper a unified vision to easily represent them through a matrix representation. We then propose a new class of such schemes called Extended Generalized Feistel Networks well suited for cryptographic applications. We instantiate those proposals into two particular constructions and we finally analyze their security.

The Mix-and-Cut Shuffle: Small-Domain Encryption Secure against N Queries

Abstract: We provide a new shuffling algorithm, called Mix-and-Cut, that provides a provably-secure block cipher even for adversaries that can observe the encryption of all N = 2 n domain points. Such fully secure ciphers are useful for format-preserving encryption, where small domains (e.g., n = 30) are common and databases may well include examples of almost all ciphertexts. Mix-and-Cut derives from a general framework for building fully secure pseudorandom permutations (PRPs) from fully secure pseudorandom separators (PRSs). The latter is a new primitive that we treat for the first time. Our framework was inspired by, and uses ideas from, a particular cipher due to Granboulin and Pornin. To achieve full security for Mix-and-Cut using this framework, we give a simple proof that a PRP secure for (1 − e)N queries (recently achieved efficiently by Hoang, Morris, and Rogaway’s Swap-or-Not cipher) yields a PRS secure for N queries.

Literature survey on nonlinear components and chaotic nonlinear components of block ciphers

Abstract: In the modern era of secure communication, it is important to create uncertainty in the original data in order to avoid unauthorized entities to extract or manipulate information. From simple methods such as permutations of original data to different mapping algorithms, the security of the ciphers rely on the substitution process. There are many types of components proposed in literature that are evolved by different methodologies and ideas. The prevailing ciphers use substitution boxes (S-boxes) to do this transformation process. In this work, we present a literature review of the design, construction, and analysis of the S-boxes used in block ciphers. The performance of S-boxes depends on the design and algebraic structure used for the construction and is contingent upon its ability to resist against cryptanalysis. We present the details of the S-box synthesis process and issues pertaining to creating resistance against various types of attacks, and highlight the consequences of a particular design methodology. In the infancy of the development of modern block ciphers, Shannon (Bell Syst. Tech. J. 28(4):656–715, 1949) presented the idea of encryption with the implementation of substitution-permutation network (SPN). In this process, the data is initially transformed by the substation process and then permuted that ends the first round supported by the secret key for this step. This substitution-permutation process is repeated several times to ensure reliability of encrypted data. The objective of using the substitution-permutation network is to create confusion between cipher text and secret key, and add diffusion in the plaintext.

Faster secure two-party computation with less memory

Abstract: Secure two-party computation is used as the basis for a large variety of privacy-preserving protocols, but often concerns about the low performance hinder the move away from non-private solutions.In this paper we present an improved implementation of Yao's garbled circuit protocol in the semi-honest adversaries setting which is up to 10 times faster than previous implementations. Our improvements include (1) the first multi-threaded implementation of the base oblivious transfers resulting in a speedup of a factor of two, (2) techniques for minimizing the memory footprint during oblivious transfer extensions and processing of circuits, (3) compilation of sub-circuits into files, and (4) caching of circuit descriptions and network packets. We implement improved circuit building blocks from the literature and present for the first time performance results for secure evaluation of the ultra-lightweight block cipher PRESENT within 7 ms online time.

Image encryption and decryption using blowfish algorithm in matlab

Abstract: With the progress in data exchange by electronic system, the need of information security has become a necessity. Due to growth of multimedia application, security becomes an important issue of communication and storage of images. This paper is about encryption and decryption of images using a secret-key block cipher called 64-bits Blowfish designed to increase security and to improve performance. This algorithm will be used as a variable key size up to 448 bits. It employs Feistel network which iterates simple function 16 times. The blowfish algorithm is safe against unauthorized attack and runs faster than the popular existing algorithms. The proposed algorithm is designed and realized using MATLAB.

New Links Between Differential and Linear Cryptanalysis

Abstract: Recently, a number of relations have been established among previously known statistical attacks on block ciphers. Leander showed in 2011 that statistical saturation distinguishers are on average equivalent to multidimensional linear distinguishers. Further relations between these two types of distinguishers and the integral and zero-correlation distinguishers were established by Bogdanov et al. [6]. Knowledge about such relations is useful for classification of statistical attacks in order to determine those that give essentially complementary information about the security of block ciphers. The purpose of the work presented in this paper is to explore relations between differential and linear attacks. The mathematical link between linear and differential attacks was discovered by Chabaud and Vaudenay already in 1994, but it has never been used in practice. We will show how to use it for computing accurate estimates of truncated differential probabilities from accurate estimates of correlations of linear approximations. We demonstrate this method in practice and give the first instantiation of multiple differential cryptanalysis using the LLR statistical test on PRESENT. On a more theoretical side, we establish equivalence between a multidimensional linear distinguisher and a truncated differential distinguisher, and show that certain zero-correlation linear distinguishers exist if and only if certain impossible differentials exist.

Security Analysis of PRINCE

Abstract: In this article, we provide the first third-party security analysis of the PRINCE lightweight block cipher, and the underlying \(\mathtt{PRINCE}_{core}\). First, while no claim was made by the authors regarding related-key attacks, we show that one can attack the full cipher with only a single pair of related keys, and then reuse the same idea to derive an attack in the single-key model for the full \(\mathtt{PRINCE}_{core}\) for several instances of the \(\alpha \) parameter (yet not the one randomly chosen by the designers). We also show how to exploit the structural linear relations that exist for PRINCE in order to obtain a key recovery attack that slightly breaks the security claims for the full cipher. We analyze the application of integral attacks to get the best known key-recovery attack on a reduced version of the PRINCE cipher. Finally, we provide time-memory-data tradeoffs that require only known plaintext-ciphertext data and that can be applied to full PRINCE.